ISO/IEC 27022 — Information technology — Security techniques — Guidance for ISMS processes [DRAFT]
According to the NWIP, this is intended to be a “detailed but generic blueprint regarding the core processes of an ISMS and - if suitable - information about management and support processes.”
The proposal is based on an academic thesis.
According to the NWIP, the standard will supplement ISO/IEC 27001, 27003 etc. “with an operational, process oriented perspective. So it will not be in conflict or duplicate the content of existing standards.”
Purpose and justification
Structure and content
Drafting started in 2018. The standard is due to be published in 2022.
It is currently at 2nd Working Draft stage.
The abbreviation “ISMS” will need to be expanded in the title when the standard is published.
It won’t be easy to adapt an academic approach to address the real world problems of organizations struggling to identify and treat information risks, within various constraints (not least the existing structure of ISO27k) ... but who knows, it might just move things along in a helpful direction.
Having said that, it’s hardly a revolutionary approach to treat an ISMS as a suite of processes. Many organizations already have processes for:
- Business continuity management (see ISO 22301);
- Change management plus configuration management and version control;
- Continuous improvement and maturity management;
- Database [security] management;
- Exemption management (management-approved noncompliance with policies);
- Identity, access rights and user account management;
- Incident management including incident investigation and forensics;
- Information management in general;
- Information [security] risk management (partly covered by ISO/IEC 27005);
- Information security management (covered by ISO/IEC 27001, 27002, 27003 and others);
- Internal audits and certification audits;
- Key management, plus the rest of cryptography;
- Log management, plus alarms and alerts;
- Metrics and management information management (partly covered by ISO/IEC 27004);
- Performance and capacity management;
- Preventive and corrective actions;
- Quality management, especially quality assurance;
- Service management [organizations that are heavily process-oriented may have ITIL/ISO20000, in which case ISO/IEC 27013 is applicable];
- Supplier/vendor management;
- System and network [security] management;
- System and software development
... and more.
Perhaps the intention is to document and integrate these somehow? Providing generally-applicable advice without imposing further constraints will be challenging. The 2nd WD includes several process diagrams that need to be carefully reviewed and updated to ensure they are flexible enough to cater for myriad differences between organizations while clarifying the essential elements of each process. In particular, the processes need to be valuable (cost-effective) in practice to justify their existence, for instance by:
- Removing unnecessary bureaucracy, rationalising and justifying whatever remains;
- Facilitating or encouraging process automation and innovation where applicable;
- Facilitating or encouraging use of existing processes, such as applying risk, supplier, incident, business continuity, policy, compliance, departmental, people, finance and project management processes to the ISMS realm, adapting them where necessary - perhaps even using effective ISMS processes elsewhere in the organization;
- Managing the processes themselves e.g. processes for monitoring, reviewing, evaluating and maintaining the processes, responding to changes, exploiting improvement opportunities etc.
< Previous standard ^ Up a level ^ Next standard >