ISO/IEC 27022 — Information security, cybersecurity and privacy protection — Guidance on information security management system processes [DRAFT]
The standard will “provide a process reference model (PRM) for information security management, which clearly differentiates between ISMS processes and measures/controls.”
The standard is based on a PhD thesis.
According to the 1st Committee Draft: “The standard is intended to guide users of ISO/IEC 27001 to:
- incorporate the process approach as described by ISO/IEC 27000:2018 clause 4.3 within the ISMS
- incorporate all the work done within other standards of the ISO 27000 family from the perspective of the operation of ISMS processes
- support users in the operation of an ISMS – the document will complement the requirements oriented perspective of ISO/IEC 27003 with an operational, process oriented point of view.”
The standard should supplement ISO/IEC 27001, 27003 etc. “with an operational, process oriented perspective. So it will not be in conflict or duplicate the content of existing standards.”
Purpose and justification
The standard lays out, in some detail, a generic suite of ISMS processes that organizations can use as a basis for designing custom processes within their own ISMS.
Structure and content
The ISMS processes described cover:
- governance activities (confusingly titled ‘management processes’) - direction and oversight for the ISMS;
- core operations e.g. information risk and security management, policy management, incident management, internal audits ...; and
- support e.g. records management, communicating with interested parties about the ISMS, managing relationships with ISMS ‘customers’ ...
Drafting started in 2018. The standard is due to be published in 2022.
It is currently at 1st Committee Draft stage, with a new title.
It os hardly a revolutionary approach to treat an ISMS as a suite of processes. Many reasonably mature organizations already have processes for:
- Business continuity management (see ISO 22301);
- Change management plus configuration management and version control;
- Continuous improvement and maturity management;
- Database [security] management;
- Exemption management (management-approved noncompliance with policies);
- Identity, access rights and user account management;
- Incident management including incident investigation and forensics;
- Information management in general;
- Information [security] risk management (partly covered by ISO/IEC 27005);
- Information security management (covered by ISO/IEC 27001, 27002, 27003 and others);
- Internal audits and certification audits;
- Key management, plus the rest of cryptography;
- Log management, plus alarms and alerts;
- Metrics and management information management (partly covered by ISO/IEC 27004);
- Performance and capacity management;
- Preventive and corrective actions;
- Quality management, especially quality assurance;
- Service management [organizations that are heavily process-oriented may have ITIL/ISO20000, in which case ISO/IEC 27013 is applicable];
- Supplier/vendor relationship management;
- System and network [security] management;
- System/software development
... and more.
Providing generally-applicable advice without imposing further constraints is challenging. The processes need to be described without losing the flexibility to cater for myriad differences between organizations. In particular, the processes need to be valuable (cost-effective) in practice to justify their existence, for instance by:
- Removing unnecessary bureaucracy, rationalising and justifying whatever remains;
- Facilitating or encouraging process automation and innovation where applicable;
- Facilitating or encouraging use of existing processes, adapting them where necessary;
- Perhaps re-using effective ISMS processes elsewhere in the organization;
- Managing the processes themselves e.g. processes for monitoring, reviewing, evaluating and maintaining the processes, responding to changes, exploiting improvement opportunities etc.
< Previous standard ^ Up a level ^ Next standard >