Topic-specific policies
ISO/IEC TS 27100


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts

 

Abstract

“This document provides the overview of cybersecurity. The terms and definitions provided in this document describe cybersecurity and relevant concepts do not cover all terms and definitions applicable to cybersecurity; do not limit other standards in defining new cybersecurity- related terms for use.”
[Source: SC27 Standing Document 11 (2021)]
 

Introduction

According to this Technical Specification:

    “Cybersecurity is a broad term used differently through the world. This document defines cybersecurity, establishes its context, and describes relevant concepts, including how cybersecurity is related to and different from information security.

    Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Many of the information security controls, methods, and techniques can be applied to manage cyber risks.”

 

Scope of the standard

“This document provides the overview of cybersecurity.”

 

Content of the standard

The standard explains various terms and concepts relating to cyber security and cyber risk management, contrasting them against information risk and security management.

 

Status

The standard was published at the end of 2020.

 

Personal notes

It seems to me two cyber worlds coexist on parallel planes:

  1. Critical national infrastructure: within the realm of government and defence, a significant concern is to protect the nation’s water, power, comms, financial systems, food supplies etc. from substantial attacks by foreign powers, terrorists or whatever through the Internet. Scary stuff! Those nations that are actively developing offensive capabilities in this area have a vested interest in other nations not developing their defensive capabilities ... hence I suspect some may be deliberately spreading confusion and frustrating attempts to bring clarity to this area among potential targets (through this international standard, for instance). It’s a delaying tactic.
  2. Plain old IT security, network security and Internet security in particular: protecting digital data in general against deliberate attacks. This is the everyday world, nothing special - a subset of information security in fact. Move along please, nothing to see here.

Rather than clarifying the concepts and terminology, moving the field forward, the standard muddies the waters - possibly the desired outcome of #1 above.

Thankfully, it is just 17 pages and I suspect is destined to become a little-known cul de sac off the information superhighway, despite the project team’s desire for ISO to promote it as a substantial contribution to the field. They claim “cybersecurity is simply an evolution of information security” and that the standard “provides much needed explanation in the environment of general confusion about the differences and similarities between cybersecurity and information security”: ‘in the environment of general confusion’ is a very curious way of putting it.  Ironic, really, for a standard that is meant to clarify things ...

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.