ISO/IEC TS 27100 — Information technology — Security techniques — Cybersecurity — Overview and concepts [DRAFT]
The standard will provide an overview of cybersecurity, describing relevant concepts.
Scope of the standard
The standard will enable the concepts of cybersecurity to be shared and discussed.
It will compare and contrast cybersecurity with [the ISO27k version of] information security.
It will apply within an organization, in relationships between organizations and more broadly across society.
It will be particularly relevant to management.
“Cybersecurity has emerged as a critical topic globally. While it has similarities to information security, it is different. It is neither well understood nor defined nor standardized with different interpretations and disparate regulations, increasing costs and burdens for industry and society. The standard will guide stakeholders to help alleviate these burdens and create coherence.”
Content of the standard
The standard explains various terms and concepts relating to cyber security and cyber risk management, contrasting them against information risk and security management.
The standards project started in 2018. It is due to be published at the end of 2021.
It is at Preliminary Draft Technical Specification ballot stage.
To my cynical eye, the 1st draft set off to a bad start with the introduction:
- “Cybersecurity has emerged as a critical topic globally.” No: ‘cyber’ is a buzzword. Cynics say that cyber = budget. I’ve no problem with budget but cyber isn’t a helpful term. Worse than that, as commonly used to mean something vaguely relating to ‘IT, Internet and/or network security’, it is a retrograde step.
- “While it appears to be similar to information security and many of the information security controls, methods, and techniques can be applied to manage cybersecurity risks, cybersecurity is distinct and different from information security.” So, it is ‘distinct and different’? I just can’t wait to read about those distinctions and differences ...
- “Governments, regulators, businesses, media, and consumers across the world are now aware of cybersecurity as a risk to them and to society.” Cybersecurity is a risk! What a bizarre abuse of terminology! This sentence is pure smoke. Stuff and nonsense! Oh and by the way, “media” has many meanings: which one is intended here?
- “While cybersecurity has become a well-known topic, it is not well-defined or well understood.” I completely disagree that it is ‘well-known’: that is the crux of the mess that much of the world, and now SC 27 as well, has got itself into. There are plenty of people spouting off about it but very few are making sense. Also, that sentence is self-contradictory. How can something that is ‘well-known’ not be ‘well-defined’ or ‘well understood’? In what sense is it ‘known’ without definition and comprehension?
The 2nd draft defined, explained or interpreted cybersecurity (occasionally ‘cyber security’) several times:
- “Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks ... Cybersecurity is a well-known topic, but it is not well-defined or well understood ... Cybersecurity focusses [sic] on the security of information (regardless of media or format) and associated risks in a digital environment” [introduction]
- “safeguarding of society, people, organizations and nations from cyber risks. Note to entry: Safeguarding means to keep cyber risk at a tolerable level” ... where cyber risk is defined as “risk caused by a cyber threat” and cyber threat is defined as “threat that exploits a cyberspace” and cyberspace is defined as “interconnected digital environment of networks, services, systems, and processes” ... hence the literally extended definition of cybersecurity is “safeguarding of society, people, organizations and nations from risks caused by threats that exploit an interconnected digital environment of networks, services, systems, and processes” [section 3]
- “Collectively, the measures that cyberspace participants take to manage cyber risks are known as cybersecurity. The objective of adequate cybersecurity is to maintain an acceptable level of stability, continuity, and safety of entities operating in cyberspace. While it is not possible to always achieve these objectives, cybersecurity aims to reduce cyber risks to a tolerable level.” [section 5.2]
- “Cybersecurity transcends the boundaries and control of an organization because of the interconnectedness of cyberspace. Organizations frequently interface and interact with external entities by using cyberspace. As such, the use of cyberspace represents risks to the organization that need to be managed as a part of organization’s ISMS.” [section 6.2.1]
- “The definition of cybersecurity is inclusive of varied understandings of the term conceived by entities including different persons, organizations and nations and of different roles in society, industry and economy. Entities from sectors, e.g. general business organizations, persons, government agencies, public utilities, financial service providers, transport service providers, manufacturers and Information and Communication Technology (ICT) service providers, can have respective views about cybersecurity characterised by their own threat scenarios. There can be sector specific understandings of cybersecurity.” [section 8.1 - a cracker that one! The definition of cybersecurity is context-dependent! So much for international standards!
- “Threats in cybersecurity” [the title of section 8.1 suggests that cybersecurity has internal threats, threats within the concept or area of concern?]
Frankly, I’m confused. The definitions aren’t clear e.g. cybersecurity is defined as “safeguarding of people, society, organizations and nations from cyber risks - Note to entry: Safeguarding means to keep cyber risks at a tolerable level”. However, since “cyber risks” are not defined, it is uncertain what is to kept at a tolerable level, nor what ‘tolerable level’ means.
Casually mentioning “cyberspace” and Internet of Things doesn’t help.
As I see it, the root of the problem is that two cyber worlds coexist on parallel planes:
- Critical national infrastructure: within the realm of government and defence, a significant concern is to protect the nation’s water, power, comms, financial systems, food supplies etc. from substantial attacks by foreign powers, terrorists or whatever through the Internet. Scary stuff! Those nations that are actively developing offensive capabilities in this area have a vested interest in other nations not developing their defensive capabilities ... hence I suspect some may be deliberately spreading confusion and frustrating attempts to bring clarity to this area among potential targets (through this international standard, for instance). It’s a delaying tactic.
- Plain old IT security, network security and Internet security in particular: protecting digital data in general against deliberate attacks. This is the everyday world, nothing special - a subset of information security in fact. Move along please, nothing to see here.
Rather than clarifying the concepts and terminology, moving the field forward, the standard muddies the waters.
Despite the overall approval vote, substantial technical comments on the Draft Technical Specification point to lingering issues with the standard.
< Previous standard ^ Up a level ^ Next standard >