< Previous standard ^ Up a level ^ Next standard >
ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards (first edition)
Abstract
“ISO/IEC TR 27103:2018 provides guidance on how to leverage existing standards in a cybersecurity framework.” [Source: ISO/IEC TR 27103:2018]
Introduction
If “cybersecurity” is simply that part of information security concerned with IT, then existing information risk and security standards are directly relevant to cyber risk and security.
An Information Security Management System as specified in ISO/IEC 27001 and other ISO27k standards is generally accepted as a comprehensive management system, governance framework or structure with which to manage information risks, including “cyber” risks pertaining to IT and the Internet among others.
Scope of the standard
Guidance on using existing ISO and IEC standards (not just ISO27k) in a ‘cybersecurity framework’.
Content of the standard
Using an arbitrary structure, the standard references relevant ISO and IEC standards down to the first-level subclauses (e.g. ISO/IEC 27001:2013 clause 9.3) where they are deemed relevant to various aspects of cybersecurity.
Status
The first edition of this standard was published as a Technical Report in 2018.
It was confirmed unchanged in 2022.
The TR is now being updated to reflect ISO/IEC 27002:2022. It is intended to explain how to manage cybersecurity risk in a comprehensive and structured manner drawing on processes, governance and controls from current ISO and IEC standards (not just ISO27k!).
Despite little apparent interest/involvement from the committee, the update project has somehow reached Draft International Standard stage. Publication is planned for 2026. Following a clarification/change of ISO policy, it is set to become a Technical Specification instead of a Technical Report.
Personal comments
The original project set out to develop an internal SC 27 Standing Document explaining how various ISO and IEC standards can usefully be applied to cybersecurity. Somehow, it ended up producing a Technical Report in the ISO27k series that singularly failed to define “cybersecurity” and related terms such as “cyber risk”, “cybersecurity risk” and “cybersecurity framework” (as did ISO/IEC 27032).
Vague and indistinct terminology makes this standard decidedly unhelpful and problematic. It perpetuates and even accentuates the myth that ‘cyber’ means something different, new and special, for example baldly asserting that “Cybersecurity is a relatively new discipline”. Relative to what - the abacus? Stone tablets? Balls and chains?
It seems to me ‘cyber’ is a hot potato that nobody is willing to grasp, a solid gold buzzword.
In revising this standard, ISO/IEC JTC 1/SC 27 has the opportunity to:
- Establish a consensus definition for ‘cyber’ and related terms, clarifying the differences from existing well-established terms such as information security (and, ideally, information risk), and defining the scope (e.g. is ‘cyber’ IT, systems, networks, technology, the Internet, external threats, a marketing term, something to do with war, or what? We still don’t know);
- Explain the fundamental principles for managing (identifying, assessing and treating) cyber risks, again clarifying any differences from conventional information risk management (personally, I’m not convinced there are any material differences);
- Provide a strategic view on the extent to which existing ISO27k standards cover this area, identifying any weaknesses or gaps where additional guidance might be justified (which sounds like an internal SC 27 document to me).
Alternatively, SC 27 could have followed the lead of the ISO/IEC 27029 project by reverting to a freely-available and more readily and cheaply maintained Standing Document - internal guidance for SC 27 - instead of revising the formal standard. But no, a revised TR/TS it is to be, and one that again leaves key terms undefined. I despair.
< Previous standard ^ Up a level ^ Next standard >
|