Information security policies
ISO/IEC 27101

Search this site

Security awareness content

ISO/IEC 27101 — Information technology — Security techniques — Cybersecurity framework development guidelines [DRAFT]


The standard will offer guidance for those within organizations who are creating cybersecurity frameworks.


Scope of the standard

The standard will define “a minimum set of concepts ... to help ease the burden” of those who are creating and implementing cybersecurity frameworks.


Content of the standard

    5 Overview

    6 Concepts

      6.1 General

      6.2 Identify

      6.3 Protect

      6.4 Detect

      6.5 Respond

      6.6 Recover

    7 Developing a cybersecurity framework

    Annex A: outlines some inputs, activities and outputs for each of the identify, protect, detect, respond and recover stages.

    Annex B: untitled, purpose unclear.

    Annex C: a listing of (mostly) national cybersecurity frameworks.


The standard is at Working Draft stage, a bit behind schedule.

It is due to be published in 2020.


Personal notes

The intended audience and purpose of this standard is hard to fathom. Who is it for, and what is a “cybersecurity framework” anyway?

  • The introductory text refers to a “cybersecurity framework” as “documents and tools to help organize and communicate cybersecurity activities” ... but doesn’t explain ‘cybersecurity’. This is yet another ISO27k ‘cybersecurity’ project that studiously avoids defining the term, using woolly language to confuse instead of clarify;
  • The distinction between “creators” and “implementors” of “cybersecurity frameworks” implies a conventional waterfall approach i.e. someone first identifies requirements, designs and develops a solution (the “framework”) which someone else then puts into operation. There is no hint in the WD that the process might be iterative, or that both phases would need to be governed and managed appropriately. However, I’m guessing here since the WD does not elaborate: it simply states that the creators are the intended audience;
  • The examples listed in Annex C suggest a “cybersecurity framework” might be a strategic approach for dealing with (presumably IT and Internet-related information) risks to critical national infrastructures, implying therefore that the “cybersecurity framework creators” would be government officials. But I’m guessing again, hunting between the lines for any crumbs of sense.

The relationship between a cybersecurity framework and an ISMS remains unclear at this point. Those “documents and tools” sound to me suspiciously like the embodiment of a management system, despite stating “This document is not intended to supersede or replace the requirements of an ISMS given in 27001 [sic]”.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2019 IsecT Ltd.