Topic-specific policies
Other ISO27k standards

Search this site

ISMS templates

< Previous standard      ^ Up a level ^


In addition to the ISO27k standards that have already been allocated numbers, SC 27 is considering further ISO27k standards and internal committee documents through a number of Study Periods and Preliminary Work Items, leading (if successful) to New Work Item Proposals, at which point (if agreed by SC 27) new standards are allocated ISO27k numbers ... and we set up the corresponding pages on this website to see them through to publication.

Please note: SC 27 projects are highly volatile at the early stages while research is undertaken to clarify their scope and purpose, obtain relevant inputs (such as other standards and donor documents channeled through the national bodies and liaisons) and secure sufficient interest and engagement to make it worthwhile progressing the standards development work. It is very hard for us to keep track of all the work going on so what follows below is mostly subjective opinion with countless errors and omissions. Please treat this as a very rough, inaccurate and incomplete guide - a heads-up on the kinds of stuff possibly on the horizon for SC 27.


Use of ISO/IEC 27001 family of standards in governmental/regulatory requirements

SC 27/WG1 developed an internal-use document (Standing Document 7) listing authorities such as governments and regulatory bodies that demand or recommend compliance with the ISO27k standards in various laws and regulations.

SC 27 is considering whether to publish SD7 as a Technical Report, making it publicly available, possibly free of charge.


Data life cycle log audit guidelines (PWI)

In 2020, a Preliminary Work Item was approved.  The proposal indicated this standard will provide “guidelines for the management, use, protection and auditing of log records at all stages of the data life cycle” ... for ... “data life cycle log management, data security events monitoring and early warning, analysis and traceability etc.”


Requirement standards for bodies providing audit and certification of sector-specific information security management systems (PWI)

In 2020, this Preliminary Work Item project is focused on auditing of ‘sector-specific’ ISMS.


Privacy and security of IoT security systems (PWI)

In 2020, a Preliminary Work Item team started investigating the possibility of a security and privacy standard specifically for IoT devices used for security purposes (e.g. CCTV, door locks), complementing existing standards for their functionality etc.


IoT Ad Hoc Group

In 2020, SC 27 initiated an AHG to coordinate and plan the work on IoT security and privacy standards.


Cyber-Physical Systems

In 2020, a project started evaluating the possibility of a security standard (or more likely a Technical Report) in the area of Cyber-Physical Systems, tentatively described in the proposal as:

“an engineering system which integrates the real time computing, real time communication and real time control features into the physical system, realizes perception and control on the physical process relying on the computing process, realizes the seamless combination of the cyberspace and the physical world” [ref: Study Report ISO/IEC JTC 1/WG 10 SRG 7 on Cyber Physical Systems (CPS) for IoT].

A Preliminary Work Item, available to SC 27, defines CPS as:

“Linked set of resources and processes composed of interacting digital, analog, physical, and human components designed for function through integrated physical space and cyberspace”
... and later:
“The CPS provides a methodology to quantify information such as a huge amount of observation data generated by a sensor network in the real world (physical space) by linking it with strong computing power in cyber space. In CPS, organisation or people can provide various products or services for the emerging needs through use of IoT, and sophisticated use of data collected by IoT systems. Use cases of CPS include energy infrastructures, manufacturing, building control, transportation, home electronics, and others.”

So, ‘the cyberspace’ is once again looming large.

For some reason, the emphasis is on IoT (or IIoT) sensor networks, with little mention of IoT/IIoT actuator networks and devices, robotics etc.

The project aims to:

  • Define “Cyber-Physical Systems’’;
  • Identify security concerns [presumably meaning information risks] relevant to CPS;
  • Develop a security reference architecture for CPS [hopefully a set of controls and other risk treatments addressing the identified information risks]; and
  • Identify potential liaison partners i.e. organisations with an interest in the information security aspects of CPS who might collaborate on developing a standard.

The cunning plan is to define and agree the reference architecture quickly, before many [insecure] CPS are implemented.


Organisational Privacy Risk Management (NWIP)

It has been proposed to develop guidance for PII controllers and processors on how to address privacy risks to data subjects as part of an organisational privacy risk management program.

For organisations with a Privacy Information Management System, the standard will support privacy risk management.

Whereas organisational information risk analyses typically take the organisation’s perspective, emphasising incidents that might compromise the business, privacy risk analysis takes the individual’s perspective, emphasising incidents that might compromise someone’s privacy.  The question then arises about how to address both types of risk simultaneously.


Network virtualisation security (SP)

This Study Period aimed to:

  • Introduce and describe network virtualisation;
  • analyse related techniques and existing applications;
  • analyse risks and challenges for network virtualisation security;
  • Propose security guidelines for network virtualisation infrastructure, network virtualisation function, service, control and resource management.

The identified information risks include:

  • Risks arising from virtualisation technology
    • Vulnerabilities in the virtualisation software such as virtual machine escape
    • Physical machine, virtual machine resource isolation, operating system vulnerabilities
    • Mirror tampering causes virtual machines to infect viruses and Trojan horses.
    • The security policy is not synchronized when the virtual machine is migrated.
  • Virtual machine and operating system software risks
    • Higher application software vulnerabilities
    • Security risks introduced by the architecture
    • Hacks and DDoS attacks on centralized controllers/orchestrators
    • Attacks using virtual or physical machines as tools
    • Vulnerabilities arising from backwards-compatibility
  • Network & communications risks
    • Difficulty in monitoring virtual machines with traditional IPS and antivirus (e.g. encrypted traffic preventing traditional content detection)
    • Fake MANO, fake VNF
    • Attackers misusing cloud resources for various attacks
    • Vulnerabilities in open interfaces for authentication and access control, plus data spoofing and tampering.
  • Data security risks
    • Leakage of sensitive data from physical and/or virtual machines
    • Administrators’ privileged access
    • Failure to erase data securely when it is deleted or migrated
  • Security management risks
    • Complex strategy with potential for gaps and conflicts
    • Operations staff have opportunities to access user and business data.

That’s a good start!  The list may not be complete but it’s a rational structure with plenty of potential for guidance, setting the scene nicely for a new part to ISO/IEC 27033.


Guidelines for Security and Privacy in IoT Domotics (home IoT systems; smart home/building) (NWIP)

The modern IT-enabled ‘smart home’ [and ‘smart office’ and ‘smart vehicle’ ...] houses numerous traditional IT devices (e.g. desktop and laptop PCs), mobile devices (e.g. smartphones and tablets) and an increasing variety and number of IoT things (e.g. smart entertainment and control systems). As these are increasingly generating and sharing information, there are implications for the APIs and protocols, including the information security and privacy aspects of the devices themselves plus their communications and networking both within and without the home.  Since most householders are simply users or consumers with little to no interest and capability in the information security and privacy aspects of all that IT, there is a role for standards in this area, essentially acting as a proxy for consumers to specify their minimal or typical information security and privacy requirements. The proposal is to develop:

  • A domotics information security and privacy reference model based on ISO/IEC 30141;
  • An outline of the information [security and privacy] risks in this context;
  • Recommendations on the [kinds of] information security and privacy controls that should be implemented by default in order to protect the interests of users/consumers.


Provenance model for information security attribution and accountability (SP)

Provenance is primarily a matter of being able to trace the origins and ascertain safe custody of something valuable - such as information. It’s an integrity control, an assurance measure. It can be extremely important in the case of, say, forensic evidence (maintaining the ‘chain of custody’) and counterfeiting (e.g. distinguishing genuine works of art from fakes), and for accountability (e.g. proving that someone did something bad enough to deserve being hauled over the coals).

This SP explored the concepts, practices and applications of provenance in the context of information security (e.g. identifying those responsible for a ransomware attack) ... leading to a NWIP.


Privacy by design of consumer goods and services (NWIP)

A standard will be produced that “allows consumer goods and services providers to address all the lifecycle issues of privacy by design so that through its use and proven compliance consumers can make goods purchases and use services with greater confidence that privacy protection has been designed into the products”.

The NWIP brief is unusually detailed, increasing the probability of a useful, valuable, worthwhile standard being developed.


Cybersecurity - Overview and concepts (SP)

A Study Period set out to:

  • Call for expert contributions using a draft Design Specification that was developed during SC 27’s Berlin meeting;
  • Draft a New Work Item Proposal and skeletal standard.

I have no idea, yet, how “cybersecurity” will be interpreted: clarifying the meaning is one of the objectives of this SP.


Cybersecurity - Societal considerations and responsibilities (SP)

Yet another Study Period that failed to define what was meant by “cybersecurity”, received next to no contributions and looks likely to disappear in a puff of magic dust.  For some bizarre reason, the SP concluded that instead of an International Standard, SC 27 might produce a Technical Report ... presumably conjuring one out of thin air given the lack of engagement.


Reference architecture for a cybersecurity framework (NWIP)

The proposal is to develop a common ‘reference architecture’ to be used when an organisation develops and implements ‘cybersecurity frameworks or programmes’. The main purpose seems to be to align cybersecurity approaches and terminology, making it easier to communicate within and between organisations on this topic.

Clarifying the meaning of “cybersecurity” would be a great start ...


Investigation of need for guidelines on Security Operations Center (SP)

Since the design and management of an SOC is not common knowledge (except for organisations that already have one), this could be an interesting standard.

The SP took up where a previous one on “Incident response within ICT security operation” left off.

Personal comments: hopefully this will complement ISO/IEC 27035.


Big Data Security - Capability Maturity Model (NWIP)

A New Work Item Proposal intends to develop a CMM-style standard covering “big data”.

According to the proposal, BDS-CMM would be used to assess the big data security capability level of organisations, taking account of four capability aspects: responsibilities, processes, technology/tools and staff skills in the area of big data security management.

In more detail, it would:

  • Describe in a structured and standardized way a framework of best practices in the form of a process management and capability improvement model;
  • Describe best practices addressing data security issues throughout the data lifecycle;
  • Be extensible and applicable to any organisation objectives;
  • Present an organized set of practices and goals for data security.

Personal comments: I have two concerns with this proposal. First, despite the name, “big data”, as the term is generally understood and used, is not merely a straightforward extension of current data/IT trends towards bigger volumes of data as implied in the proposal. It refers to using different forms of data analysis to reveal useful patterns in truly enormous and dynamic data sets, well beyond the capabilities or realm of conventional data processing. Second, although CMM is a useful construct for measuring and driving maturity, I’m not convinced SC 27 is well placed to specify ‘best practices’ in the area of big data security - or small data security for that matter. Good practices, fair enough ... but isn’t that what the ISO27k series already does?

A revised NWIP proposed to develop security guidelines for big data platforms (infrastructure, data storage, data interface and data processing) taking account of the challenges and risks.

The proposed/donor standard is not a bad start but we’ll see whether SC 27 will have anything much to add on big data security beyond the existing ISO27k standards.


Cloud-related security studies

An SC 27 WG4 study on the possible need for cloud computing security standards identified three areas of interest, and spawned at least three further studies:

  1. Cloud security assessment and audit - assessing, evaluating, reviewing or auditing cloud security arrangements.
  2. Cloud-adapted risk management framework - interpreting/adapting/applying ISO27k and other risk management approaches to cloud computing [may recommend an annex to ISO/IEC 27005 concerning cloud risks, rather than a separate standard]. A second call for contributions primarily identified the need to consider the different context in cloud versus traditional in-house IT operations, which affects the risks. The concept of stretching the definition of an ‘organisation’ to cover multiple legal entities who collaborate to deliver cloud services might also be an issue for the existing ISO27k standards. The study may recommend a Technical Report rather than an International Standard.
  3. Cloud security components - separating out the individual elements necessary to build cloud security,

A further new work item was proposed by ITU-T, on “Guidelines for Cloud Service Customer Data Security”, covering situations where the cloud service provider is required to secure the customers’ data (which is not always the case: sometimes the customer remains responsible).

Another NWIP has been proposed, along with an initial contribution for “The architecture of trusted connection to cloud services”, subsequently re-titled “Security requirements on trusted connection to Internet based services”.

Oh and another: “The architecture for virtual root of trust on cloud platform”.

A short Study Period on “Emerging virtualization security” took inputs from the Cloud Security Alliance on Network Function Virtualization covering virtual networks specifically, as opposed to virtual systems, storage and applications. Or reality.


Competences for information security testers and evaluators

“The scope of the proposed standard is to provide the minimum requirements for the competence of individuals performing testing and evaluation activities using ISO/IEC standards for evaluating or testing the security functionality of IT products.” [quoted from the New Work Item Proposal].

The NWIP pointed out that a lack of standards in this area leads to inconsistencies in the conformance testing performed by testers and test labs.

Personal comments: the project looked set to go ahead with a standard ... but has since disappeared from my radar. Possibly it was merged into the project on ISO/IEC 27021?


Risk Handling Library (SP)

This Study Period proposed to develop another Standing Document (guidance for use within SC 27). Support for the SP was lacklustre, partly because the purpose of the grandly named but curiously obtuse ”Risk Handling Library” is unclear - not just badly described but arguably ill-conceived. Who is it aimed at? What benefits will it provide?

The SD may catalog risk-related content in both current and future/planned ISO27k standards. A draft produced in April 2017 was simply a spreadsheet referencing ISO27k and other standards that happen to mention risk. It didn’t cite the specific sections where risk is mentioned, nor is there any intention to include relevant sections of text - it was basically just a bibliography.

Personal comments: this appears to overlap with both the Terminology Working Group and SD6 “Glossary of IT Security Terminology”.

SC 27 has a knack of setting off with a flourish on journeys to unknown destinations by unclear routes for uncertain reasons, then promptly stumbling its way into tar pits and quagmires. Personally, I suspect the recurring nightmare has a governance cause ... and yet it could be seen as a means to release or stimulate free-thinking creativity. That would be fine if we didn’t have a mountain of more tedious and important, even urgent work on our plates already (27002 revision, 27005 re-revision, IoT security, cloud security, blah blah blah), or if the creativity extended to re-designing the way the committee operates. Adding yet more stuff to the top of the pile really isn’t helping matters. Or, to invert the simile, it’s tough to dig your way out of a hole ... so stop digging!

An invitation to committee members to get involved with this project received not a single positive response at first, then one lonely response at the second request.

Then there’s this: “ISO/IEC JTC 1/SC 27/SWG-T recommends to take the appropriate steps to make the new SC 27 Standing Document 19 Risk management resource library publicly available within SC 27.”  So is the “Risk Management Resource Library” the same as the “risk handling library” or something else again? 


There are shades of the People’s Front of Judea.


Meanwhile, a Technology Task Force has been proposed to coordinate and clarify the vocabulary within all of SC 27’s standards and, in due course, globally when the standards are published and used.  At least, that’s what I think it is meant to do: its scope and purpose has yet to be defined. Perhaps SC 27 needs a TTF scope and definition project?


Information Security Library (SP)

A project is studying the need for an Information Security Library standard explaining how all the standards within the remit of SC 27 fit together, and how organisations might choose to use them [which sounds to me a lot like the overview function of the present ISO/IEC 27000, albeit perhaps extending beyond the ISO27k standards to include privacy, identity management etc.]. Internally within SC 27, the ISL would drive the continued development of the standards, envisaging an accelerated timeframe for the more dynamic technology-driven IT security elements relative to the slower-evolving business-driven information security and governance parts.

A draft of SC 27 Standing Document 16 suggests developing the ISL as (in effect) a roadmap for SC 27’s activities. Maintaining/updating and extending Annex A of ISO/IEC 27001 would become the focal point of many if not all of SC 27’s projects.


Cybersecurity maturity model

A project set out to develop a maturity model covering cybersecurity, defined inter alia as “preservation of confidentiality, integrity and availability of information in the Cyberspace”.

Personal comments: unfortunately, ‘the Cyberspace’ is poorly and inconsistently defined and quite obscure, hence it is far from clear what the maturity model would actually cover. I’m unsure who would benefit from such a maturity model anyway.


< Previous standard      ^ Up a level ^


PS  There is at least one 27000-numbered standard that is definitely not part of the ISO27k information security management suite: ISO/TR 27918:2018 concerns “Lifecycle risk management for integrated CCS projects” ... where CCS evidently means Carbon Capture and Storage, an abbreviation that should really have been expanded in the title.

Copyright © 2022 IsecT Ltd.