Security awareness subscription service
ISO/IEC 27101

Search this site

Security awareness content

ISO/IEC 27101 — Information technology — Security techniques — Cybersecurity framework development guidelines [DRAFT]


The standard will offer guidance for those developing cybersecurity frameworks.


Scope of the standard

The standard will define “a minimum set of concepts ... to help ease the burden” of those who are creating and implementing cybersecurity frameworks.


Content of the standard

5 Overview

6 Concepts

    6.1 Identify

    6.2 Protect

    6.3 Detect

    6.4 Respond

    6.5 Recover


The Working Draft is being knocked into shape. 


Personal notes

This appears to be a kind of meta-standard (a standard about developing standards), jumping aboard the cybersecurity bandwagon.

Its intended audience is poorly defined:

  • Those who are “creating” cybersecurity frameworks could mean standards bodies, hence this might be another SC27 internal guideline, a Standing Document in the lingo;
  • Some organizations might “create” their own cybersecurity frameworks to suit their particular circumstances but I’m not sure they would find much value in a generic standard;

I can barely guess what this project is doing at this stage: the outline structure suggests perhaps a set of considerations or controls operating at different stages of the incident lifecycle.

The WD1 introduction hints at aligning ‘cybersecurity frameworks’ defined self-referentially as “a basic set of concepts used to organize and communicate cybersecurity activities”.  Unfortunately, ‘cybersecurity’ is not actually defined, hence this is yet another ISO27k standards project casually ducking a critical issue as if we won’t notice.

WD1 further confuses matters with a diagram that shows stuff feeding into an ISMS ... clearly implying strong similarities to information security management after all.  Gosh, fancy that.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2019 IsecT Ltd.