ISO/IEC TS 27101 — Information Security, Cybersecurity and Privacy Protection — Cybersecurity framework development guidelines [DRAFT]
The standard will offer guidance for those within organizations who are creating cybersecurity frameworks.
Scope of the standard
The standard will define “a minimum set of concepts ... to help ease the burden” of those who are creating and implementing cybersecurity frameworks.
Content of the standard
7 Developing a cybersecurity framework
Annex A: outlines some inputs, activities and outputs for each of the identify, protect, detect, respond and recover stages.
Annex B: untitled, purpose unclear.
Annex C: a listing of (mostly) national cybersecurity frameworks.
The standard has passed Preliminary Draft Technical Specification stage and looks likely to be published this year.
The intended audience and purpose of this standard is hard to fathom. Who is it for, and what is a “cybersecurity framework” anyway? Whose ‘burden’ is it seeking to lighten, and what is the nature of their burden?
- According to the introduction, “business groups, government agencies, and other organizations produce documents and tools called cybersecurity frameworks to help organize and communicate cybersecurity activities of organizations”. My toolbox is sadly lacking in “cybersecurity frameworks” so I guess this standard is not aimed at me;
- The standard makes no attempt to explain what it means by ‘cybersecurity’. This is yet another ISO27k ‘cybersecurity’ project that studiously avoids defining the term, using woolly language to confuse instead of clarify. So much for international standards pushing back the frontiers;
- The distinction between “creators” and “implementors” of “cybersecurity frameworks” implies a conventional waterfall approach i.e. someone first identifies requirements, designs and develops a solution (the “framework”) which someone else then puts into operation. There is no hint presently that the process might be iterative, or that both phases would need to be governed and managed appropriately. However, I’m guessing here since the standard does not elaborate: it simply states that framework creators are the intended audience;
- The ‘concepts’ that (according to the standard) “should be included in a cybersecurity framework” simply reflect the usual pre-, para- and post-incident stages, another simplistic linear timeline. This is hardly rocket surgery. However, the standard makes no attempt to justify why these specific ‘concepts’ ‘should’ be ‘included’, and completely ignores the possibility of other potential ‘concepts’ or framework structures (such as <ahem> ISO/IEC 27001 to name but one of several);
- The examples listed in Annex C suggest a “cybersecurity framework” might be a strategic approach for dealing with (presumably IT and Internet-related information) risks to critical national infrastructures, implying therefore that the “cybersecurity framework creators” would be government officials. But I’m guessing again, pecking between the lines for any crumbs of sense.
The relationship between a “cybersecurity framework” and a conventional ISMS remains unclear at this point. Those “documents and tools” sound to me suspiciously like the embodiment of a management system, despite the draft standard stating “This document is not intended to supersede or replace the requirements of an ISMS given in 27001 [sic]”.
To my cynical eye, this looks suspiciously like a (politically-motivated?) attempt to align ISO27k with - or perhaps amend ISO27k to embody - NIST’s CyberSecurity Framework --> specifically. Organizations that prefer the CSF are of course free to adopt it, so why change ISO27k, especially so long as “cybersecurity” remains a solid-gold buzzword that consistently defies definition? Oh I despair!
< Previous standard ^ Up a level ^ Next standard >