ISMS policies
ISO/IEC TS 27100


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

NEW ISO27k standard Jan 2021 ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts

Introduction

According to the standard (a Technical Specification in fact):

    “Cybersecurity is a broad term used differently through the world. This document defines cybersecurity, establishes its context, and describes relevant concepts, including how cybersecurity is related to and different from information security.

    Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Many of the information security controls, methods, and techniques can be applied to manage cyber risks.”

 

Scope of the standard

“This document provides the overview of cybersecurity.”

 

Content of the standard

The standard explains various terms and concepts relating to cyber security and cyber risk management, contrasting them against information risk and security management.

 

Status

Jan update The standard was published at the end of 2020.

 

Personal notes

It seems to me two cyber worlds coexist on parallel planes:

  1. Critical national infrastructure: within the realm of government and defence, a significant concern is to protect the nation’s water, power, comms, financial systems, food supplies etc. from substantial attacks by foreign powers, terrorists or whatever through the Internet. Scary stuff! Those nations that are actively developing offensive capabilities in this area have a vested interest in other nations not developing their defensive capabilities ... hence I suspect some may be deliberately spreading confusion and frustrating attempts to bring clarity to this area among potential targets (through this international standard, for instance). It’s a delaying tactic.
  2. Plain old IT security, network security and Internet security in particular: protecting digital data in general against deliberate attacks. This is the everyday world, nothing special - a subset of information security in fact. Move along please, nothing to see here.

Rather than clarifying the concepts and terminology, moving the field forward, the standard muddies the waters - possibly the desired outcome of #1 above.

Thankfully, it is just 17 pages and I suspect is destined to become a little-known cul de sac off the information superhighway, despite the project team’s desire for ISO to promote it as a substantial contribution to the field. They claim “cybersecurity is simply an evolution of information security” and that the standard “provides much needed explanation in the environment of general confusion about the differences and similarities between cybersecurity and information security”: ‘in the environment of general confusion’ is a very curious way of putting it.  Ironic, really, for a standard that is meant to clarify things ...

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.