Topic-specific policies
ISO/IEC TR 27103

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards



“ISO/IEC TR 27103:2018 provides guidance on how to leverage existing standards in a cybersecurity framework.”
[Source: ISO/IEC TR 27103:2018]


If “cybersecurity” is simply that part of information security concerned with IT, then existing information risk and security standards are directly relevant to cyber risk and security.

An Information Security Management System as specified in ISO/IEC 27001 and other ISO27k standards is generally accepted as a comprehensive management system, governance framework or structure with which to manage information risks, including “cyber” risks pertaining to IT and the Internet.


Scope of the standard

“This document provides guidance on how to leverage existing standards in a cybersecurity framework.”


Content of the standard

“This document provides background on why having a risk-based, prioritized, flexible, outcome-focused, and communications-enabling framework for cybersecurity is important. It then describes the objectives of a strong cybersecurity framework and includes mapping to existing standards that can be used to achieve these objectives.”

Using an arbitrary structure, it references relevant ISO and IEC standards down to the first-level subclauses (e.g. ISO/IEC 27001:2013 clause 9.3) where they are deemed relevant to cybersecurity.



The standard was published in 2018 as a Technical Report.

A ‘design specification’ for updating the standard is to be produced for approval by SC 27 in April 2022 ... but see the note down below.


Personal notes

The project set out to develop an internal Standing Document for SC 27 explaining how ISO27k plus other ISO and IEC standards can usefully be applied to cybersecurity. Somehow, it ended up producing a Technical Report in the ISO27k series that fails, yet again, to define “cybersecurity” and related terms such as “cyber risk”, “cybersecurity risk” and “cybersecurity framework”, just as ISO/IEC 27032 also failed to do.

Vague and indistinct terminology makes this standard distinctly unhelpful and problematic. It perpetuates and even accentuates the myth that ‘cyber’ means something different, new and special, for example stating that “Cybersecurity is a relatively new discipline”.  Relative to what - the abacus? Stone tablets? Balls and chains?

It seems to me ‘cyber’ is a hot potato that nobody is willing to grasp, a buzzword.

Through this standard, ISO/IEC JTC 1/SC 27 could have:

  • Established a consensus definition for ‘cyber’ and related terms, clarifying the differences from existing well-established terms such as information security (and, ideally, information risk), and defining the scope (e.g. is ‘cyber’ IT, systems, networks, technology, the Internet, external threats, a marketing term, something to do with war, or what?  We still don’t know);
  • Explained the fundamental principles for managing (identifying, assessing and treating) cyber risks, again clarifying any differences from conventional information risk management (personally, I’m not convinced there are any material differences);
  • Provided a strategic view on the extent to which existing ISO27k standards cover this area, identifying any weaknesses or gaps where additional guidance might be justified.

In my personal, jaundiced, very cynical opinion, the published standard (OK, Technical Report) retards rather than advances the state of the art. It’s an opportunity lost, wasted effort, a very disappointing outcome for a committee that aims to lead the field.

Since the Preliminary Work Item for the next update states categorically that “This revision will be limited to updating this standard to align with the third edition of ISO/IEC 27002”, it appears the design for the revision is already specified: SC 27 has somehow predetermined that the standard will only be updated to reflect the new 2022 release of ISO/IEC 27002, denying the opportunity to make more fundamental improvements, such as addressing the issues I have noted above.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.