< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition)
Abstract
“The scope of this Recommendation | International Standard is to provide guidelines supporting the implementation of information security controls in telecommunications organizations. The adoption of this Recommendation | International Standard will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant information security property.” [Source: ISO/IEC 27011:2024/ITU-T X.1051]
Introduction
This ISMS implementation guide for the telecoms industry was developed jointly by ITU-T and ISO/IEC JTC 1/SC 27, with the identical text being dual-numbered as both ISO/IEC 27011 and ITU-T X.1051.
Scope and purpose
This standard guides telecoms organisations on the information security controls worth considering and adopting to mitigate their unacceptable information risks. As with ISO/IEC 27002, the controls are discretionary, not mandatory. Telecoms organizations are free to determine whether the controls are or are not applicable according to their information risks, and they may prefer custom versions, bespoke controls or controls suggested by other sources. Ideally, they would do so using an Information Security Management System modeled on ISO/IEC 27001, managing and overseeing the controls and risks systematically.
Content of the standard
Aside from minor variations/explanations to a few of the ISO/IEC 27002:2022 controls, the ‘extended control set’ suggests 14 additional information security controls specifically for telecoms organisations.
For example, control 5.42 TEL - Non-disclosure of communications indicates that telecoms organisations should, if appropriate, secure metadata relating to the messages they handle for customers, as well as the messages themselves, unless they are legally obliged to disclose.
Status of the standard
The first edition was published in 2008.
The second edition was published in 2016 with minor corrigendum in 2018.
Having been updated and substantially restructured to align with the 2022 version of ISO/IEC 27002, the third edition was published in March 2024.
Personal comments
It is good to see continued productive collaboration between these well-respected international standards bodies, despite the challenge and delays caused by batting the draft standard back and forth between their formal processes like a tennis ball at a Wimbledon final.
< Previous standard ^ Up a level ^ Next standard >
|