Topic-specific policies
ISO/IEC TS 27022


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

Published March 2021 ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes

 

Introduction

The standard (a Technical Specification) “provides a process reference model (PRM) for information security management, which  differentiates between ISMS processes and measures/controls initiated by them ... [and]  describes the ISMS processes implied by ISO/IEC 27001.”

The standard is based on a PhD thesis submitted to the Universidad Carlos III de Madrid, Spain.

 

Scope

According to the scope, the standard “is intended to guide users of ISO/IEC 27001 to:

  • incorporate the process approach as described by ISO/IEC 27000:2018 clause 4.3 within the  ISMS
  • be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes
  • support users in the operation of an ISMS – the document will complement the requirements oriented perspective of ISO/IEC 27003 with an operational, process oriented point of view.”

The standard does not define any new ISMS requirements, beyond those already defined in ISO/IEC 27001.  In other words, it is advisory rather than mandatory.

 

Purpose and justification

The standard lays out, in some detail, a Process Reference Model comprising a generic suite of ISMS processes that organizations may wish to use as a basis for designing custom processes within their own ISMS.

 

Structure and content

The ISMS processes described fall into 3 “categories” (types or groups) i.e.:

  • Governance activities (confusingly titled ‘management processes’) - direction and oversight for the ISMS;
  • Core operations e.g. information risk and security management, policy management, incident management, internal audits ...; and
  • Support e.g. records management, communicating with interested parties about the ISMS, managing relationships with ISMS ‘customers’ ...

The processes are each laid out in an Appendix, first as a table specifying:

  • Process “category” denoting the type of process
  • A brief description
  • Objective/purposes
  • Input[s] and Output[s]
  • Activities/functions i.e. a few words for each of the main steps in the process
  • Informative references.

The table is followed by a flowchart summarising the process on one side or less.

 

Status

Drafting commenced in 2018 and progressed rapidly, thanks largely to the contributed donor content.

April update ISO/IEC TS 27022 was published in March 2021.

 

Personal comments

It is hardly a revolutionary approach to treat an ISMS as a suite of processes.  Many reasonably mature organizations already have processes for:

  1. Asset management;
  2. Audit management, both internal and external;
  3. Business continuity management (see ISO 22301);
  4. Change management plus configuration management and version control;
  5. Continuous improvement and maturity management;
  6. Database [security] management;
  7. Exemption management (management-approved noncompliance with policies);
  8. Facilities management including power and other services for the computer room;
  9. Identity, access rights and user account management;
  10. Incident management including incident investigation and forensics;
  11. Information management in general;
  12. Information [security] risk management (partly covered by ISO/IEC 27005);
  13. Information security management (covered by ISO/IEC 27001, 27002, 27003 and others);
  14. IT!
  15. Internal audits and certification audits;
  16. Key management, plus the rest of cryptography;
  17. Log management, plus alarms and alerts;
  18. Metrics and management information management (partly covered by ISO/IEC 27004);
  19. Monitoring and oversight of the risk management and security arrangements;
  20. Patching, including emergency arrangements for urgent fixes;
  21. Performance and capacity management;
  22. Personnel/HR management including “onboarding” and “offboarding” (nasty neologisms!);
  23. Preventive and corrective actions;
  24. Quality management, especially quality assurance;
  25. Service management [organizations that are heavily process-oriented may be using ITIL/ISO20000, in which case ISO/IEC 27013 is applicable];
  26. Supplier/vendor relationship management, including telecomms, Internet and cloud services, outsourced development, contract security guards, maintenance/servicing, professional services/consulting/contracting etc.;
  27. System and network [security] management;
  28. System/software development and testing ...

... and more.

Providing generally-applicable advice without imposing further constraints is challenging. The processes need to be described without losing the flexibility to cater for myriad differences between organizations. In particular, the processes need to be valuable (cost-effective) in practice to justify their existence, for instance by:

  • Removing unnecessary bureaucracy, rationalising and justifying whatever remains;
  • Facilitating or encouraging process automation and innovation where applicable;
  • Facilitating or encouraging use of existing processes, adapting them where necessary;
  • Perhaps re-using effective ISMS processes elsewhere in the organization;
  • Managing the processes themselves e.g. processes for monitoring, reviewing, evaluating and maintaining the processes, responding to changes, exploiting improvement opportunities etc.

Despite overall approval, during drafting there were adverse comments about the implication that ISMS processes are distinct from normal operations, rather than being integral to the organisation’s routine activities. The process for managing an information security or privacy incident, for example, is essentially the same as that for managing any other incident, hence it is generally unnecessary to create another, parallel incident management process if the existing one (perhaps with a few tweaks) is effective. The standard is intended to be advisory rather than compulsory, and “is not intended to be used ‘out of the box’ without adapting it to the implementing organization” (quoting from section 4 of the draft).

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.