In addition to the ISO27k standards that have already been allocated numbers, SC 27 is considering further ISO27k standards and internal committee documents through a number of Study Periods leading normally to New Work Item Proposals, at which point (if agreed by SC 27) some become standards projects and are allocated ISO27k numbers ... and we set up the corresponding pages on this website to see them through to publication (or not, as the case may be).
Please note: SC 27 projects are highly volatile at the early stages while research is undertaken to clarify their scope and purpose, obtain relevant inputs (such as other standards and donor documents channeled through the national bodies and liaisons) and secure sufficient interest and engagement to make it worthwhile developing the standards. It is very hard for us to keep track of all the work going on so what follows below is mostly subjective opinion with countless errors and omissions. Please treat this as a very rough, inaccurate and incomplete guide - a heads-up on the kinds of stuff possibly on the horizon for SC 27.
Cybersecurity - IoT Security and Privacy - Device baseline requirements
This project is documenting the common but basic security features expected of IoT devices, enabling the IoT security controls documented in ISO/IEC 27030. A unique (and ideally immutable and verifiable!) device identifier is an example, plus a ‘factory reset’ function. It is anticipated that additional security controls will be required (and may be defined in further standards) for specific applications (e.g. medical things).
Information security and privacy guidelines for IoT [in physical] security systems (SP)
It is proposed to develop information and security guidance for IoT things used for physical security purposes (e.g. smart locks and CCTV systems).
Organizational Privacy Risk Management (NWIP)
It has been proposed to develop guidance for PII controllers and processors on how to address privacy risks to data subjects as part of an organizational privacy risk management program.
For organizations with a Privacy Information Management System, the standard will support privacy risk management.
Whereas organizational information risk analyses typically take the organization’s perspective, emphasizing incidents that might compromise the business, privacy risk analysis takes the individual’s perspective, emphasizing incidents that might compromise someone’s privacy. The question then arises about how to address both types of risk simultaneously.
Network virtualization security (SP)
This Study Period aimed to:
- Introduce and describe network virtualization;
- Analyze related techniques and existing applications;
- Analyze risks and challenges for network virtualization security;
- Propose security guidelines for network virtualization infrastructure, network virtualization function, service, control and resource management.
The identified information risks include:
- Risks arising from virtualization technology
- Vulnerabilities in the virtualization software such as virtual machine escape
- Physical machine, virtual machine resource isolation, operating system vulnerabilities
- Mirror tampering causes virtual machines to infect viruses and Trojan horses.
- The security policy is not synchronized when the virtual machine is migrated.
- Virtual machine and operating system software risks
- Higher application software vulnerabilities
- Security risks introduced by the architecture
- Hacks and DDoS attacks on centralized controllers/orchestrators
- Attacks using virtual or physical machines as tools
- Vulnerabilities arising from cackwards-compatibility
- Network & communications risks
- Difficulty in monitoring virtual machines with traditional IPS and antivirus (e.g. encrypted traffic preventing traditional content detection)
- Fake MANO, fake VNF
- Attackers misusing cloud resources for various attacks
- Vulnerabilities in open interfaces for authentication and access control, plus data spoofing and tampering.
- Data security risks
- Leakage of sensitive data from physical and/or virtual machines
- Administrators’ privileged access
- Failure to erase data securely when it is deleted or migrated
- Security management risks
- Complex strategy with potential for gaps and conflicts
- Operations staff have opportunities to access user and business data.
That’s a good start! The list may not be complete but it’s a rational structure with plenty of potential for guidance, setting the scene nicely for a new part to ISO/IEC 27033.
Guidelines for Security and Privacy in IoT Domotics (home IoT systems; smart home/building) (NWIP)
The modern IT-enabled ‘smart home’ [and ‘smart office’ and ‘smart vehicle’ ...] houses numerous traditional IT devices (e.g. desktop and laptop PCs), mobile devices (e.g. smartphones and tablets) and an increasing variety and number of IoT things (e.g. smart entertainment and control systems). As these are increasingly generating and sharing information, there are implications for the APIs and protocols, including the information security and privacy aspects of the devices themselves plus their communications and networking both within and without the home. Since most householders are simply users or consumers with little to no interest and capability in the information security and privacy aspects of all that IT, there is a role for standards in this area, essentially acting as a proxy for consumers to specify their minimal or typical information security and privacy requirements. The proposal is to develop:
- A domotics information security and privacy reference model based on ISO/IEC 30141;
- An outline of the information [security and privacy] risks in this context;
- Recommendations on the [kinds of] information security and privacy controls that should be implemented by default in order to protect the interests of users/consumers.
Provenance model for information security attribution and accountability (SP)
Provenance is primarily a matter of being able to trace the origins and ascertain safe custody of something valuable - such as information. It’s an integrity control, an assurance measure. It can be extremely important in the case of, say, forensic evidence (maintaining the ‘chain of custody’) and counterfeiting (e.g. distinguishing genuine works of art from fakes), and for accountability (e.g. proving that someone did something bad enough to deserve being hauled over the coals).
This SP explored the concepts, practices and applications of provenance in the context of information security (e.g. identifying those responsible for a ransomware attack) ... leading to a NWIP.
Privacy by design of consumer goods and services (NWIP)
A standard will be produced that “allows consumer goods and services providers to address all the lifecycle issues of privacy by design so that through its use and proven compliance consumers can make goods purchases and use services with greater confidence that privacy protection has been designed into the products”.
The NWIP brief is unusually detailed, increasing the probability of a useful, valuable, worthwhile standard being developed.
Cybersecurity - Overview and concepts (SP)
A Study Period is going to:
- Call for expert contributions using a draft Design Specification that was developed during the Berlin meeting;
- Develop a draft NWIP and skeletal standard.
I have no idea, yet, how “cybersecurity” will be interpreted: clarifying the meaning is one of the objectives of this SP.
Cybersecurity - Societal considerations and responsibilities (SP)
A Study Period that, yet again, failed to define what was meant by “cybersecurity”, received next to no contributions and looks likely to disappear in a puff of magic dust. For some bizarre reason, the SP concluded that instead of an International Standard, SC 27 might produce a Technical Report ... presumably conjuring one out of thin air given the lack of engagement.
Utility of the Statement of Applicability SoA (SP)
Given that ISO/IEC 27001 Annex A remains a bone of contention with SC 27, a Study Period has:
- Consolidated views on Annex A and SoA;
- Called for contributions to solicit expert views, including alternatives.
The idea was to thrash out and resolve the issue, once and for all. Hopefully. Fingers crossed.
The consensus is to retain Annex A as a useful linker between 27001 and 27002. However, 27001 may be updated to clarify that the Annex A controls are NOT required, hence the SoA can identify any suite of controls and need not follow Annex A at all.
Reference architecture for a cybersecurity framework (NWIP)
The proposal is to develop a common ‘reference architecture’ to be used when an organization develops and implements ‘cybersecurity frameworks or programmes’. The main purpose seems to be to align cybersecurity approaches and terminology, making it easier to communicate within and between organizations on this topic.
Clarifying the meaning of “cybersecurity” would be a great start ...
Investigation of need for guidelines on Security Operation Center (SOC) (SP)
Since the design and management of an SOC is not common knowledge (except for organizations that already have one), this could be an interesting standard.
The SP took up where a previous one on “Incident response within ICT security operation” left off.
Personal comments: hopefully this will complement ISO/IEC 27035.
Guidelines for security and privacy in Internet of Things (IoT) (SP)
Presumably the standard in intended to cover information risks and security controls for IoT, with a special emphasis on privacy (the previous SP on “Guidelines for security in Internet of Things (IoT)” was terminated).
ISO/IEC JTC1/Working Group 7 (not SC 27) is preparing an architectural standard to define the terms and concepts that users and other standards committees can use in due course. WG 7 is mainly concerned with sensor networks, hence their interest in the Internet of Things such as smart grid, smart city etc., where various devices with various sensors are able to link up and pass along information. There are substantial confidentiality, privacy, integrity and availability issues with some of the implementations, hence an information security standard seems likely to follow. However, there seems to be more to the Internet of Things than smart grids and sensor networks, hence SC 27 also initiated a study period in this area.
A skeletal draft ISO27k standard “Guidelines for security and privacy in Internet of Things (IoT)” has been released to SC 27 with three main sections: an overview; a set of principles; and a set of controls.
Big data security capability maturity model (BDS-CMM) (NWIP)
A NWIP has been proposed to develop a CMM-style standard covering “big data”.
According to the proposal, BDS-CMM would be used to assess the big data security capability level of organizations, taking account of four capability aspects: responsibilities, processes, technology/tools and staff skills in the area of big data security management.
In more detail, it would:
- Describe in a structured and standardized way a framework of best practices in the form of a process management and capability improvement model;
- Describe best practices addressing data security issues throughout the data lifecycle;
- Be extensible and applicable to any organization objectives;
- Present an organized set of practices and goals for data security.
Personal comments: I have two concerns with this proposal. First, despite the name, “big data”, as the term is generally understood and used, is not merely a straightforward extension of current data/IT trends towards bigger volumes of data as implied in the proposal. It refers to using different forms of data analysis to reveal useful patterns in truly enormous and dynamic data sets, well beyond the capabilities or realm of conventional data processing. Second, although CMM is a useful construct for measuring and driving maturity, I’m not convinced SC 27 is well placed to specify ‘best practices’ in the area of big data security - or small data security for that matter. Good practices, fair enough ... but isn’t that what the ISO27k series already does?
A revised NWIP proposed to develop security guidelines for big data platforms (infrastructure, data storage, data interface and data processing) taking account of the challenges and risks.
The proposed/donor standard is not a bad start but we’ll see whether SC 27 will have anything much to add on big data security beyond the existing ISO27k standards.
Use of ISO27k for governmental/regulatory requirements (SP)
This project is exploring the use of ISO27k in connection with governmental oversight of organizational information security arrangements. The proposal is to generate an internal committee Standing Document listing authorities such as governments and regulatory bodies that demand or recommend compliance with the ISO27k standards in various laws and regulations.
Personal comments: whereas organizations that are legally obliged to comply with ISO27k standards should determine the requirements for themselves, a Standing Document may prove useful in reminding committee members that changes to the standards can have significant implications for users. It may also have marketing benefits, proving that the ISO27k standards have real value and purpose.
Cloud-related security studies
An SC 27 WG4 study on the possible need for cloud computing security standards identified three areas of interest, and spawned at least three further studies:
- Cloud security assessment and audit - assessing, evaluating, reviewing or auditing cloud security arrangements.
- Cloud-adapted risk management framework - interpreting/adapting/applying ISO27k and other risk management approaches to cloud computing [may recommend an annex to ISO/IEC 27005 concerning cloud risks, rather than a separate standard]. A second call for contributions primarily identified the need to consider the different context in cloud versus traditional in-house IT operations, which affects the risks. The concept of stretching the definition of an ‘organization’ to cover multiple legal entities who collaborate to deliver cloud services might also be an issue for the existing ISO27k standards. The study may recommend a Technical Report rather than an International Standard.
- Cloud security components - separating out the individual elements necessary to build cloud security,
A further new work item was proposed by ITU-T, on “Guidelines for Cloud Service Customer Data Security”, covering situations where the cloud service provider is required to secure the customers’ data (which is not always the case: sometimes the customer remains responsible).
Another NWIP has been proposed, along with an initial contribution for “The architecture of trusted connection to cloud services”, subsequently re-titled “Security requirements on trusted connection to Internet based services”.
Oh and another: “The architecture for virtual root of trust on cloud platform”.
A short SP on “Emerging virtualization security” took inputs from the Cloud Security Alliance on NFV (Network Function Virtualization) covering virtual networks specifically, as opposed to virtual systems, storage and applications. Or reality.
Competences for information security testers and evaluators
“The scope of the proposed standard is to provide the minimum requirements for the competence of individuals performing testing and evaluation activities using ISO/IEC standards for evaluating or testing the security functionality of IT products.” [quoted from the NWIP].
The NWIP pointed out that a lack of standards in this area leads to inconsistencies in the conformance testing performed by testers and test labs.
Personal comments: the project looked set to go ahead with a standard ... but has since disappeared from my radar. Possibly it was merged into the project on ISO/IEC 27021?
Risk Handling Library (SP)
This SP is proposing to develop another Standing Document (guidance for use within SC 27). Support for the SP has been lacklustre, partly because the purpose of the grandly named but curiously obtuse ”Risk Handling Library” is unclear - not just badly described but arguably ill-conceived. Who is it aimed at? What benefits will it provide?
The SD may catalog risk-related content in both current and future/planned ISO27k standards. A draft produced in April 2017 was simply a spreadsheet referencing ISO27k and other standards that happen to mention risk. It didn’t cite the specific sections where risk is mentioned, nor is there any intention to include relevant sections of text - it was basically just a bibliography.
Personal comments: this appears to overlap with both the Terminology Working Group and SD6 “Glossary of IT Security Terminology”.
SC 27 has a knack of setting off with a flourish on journeys to unknown destinations by unclear routes for uncertain reasons, then promptly stumbling its way into tar pits and quagmires. Personally, I suspect the recurring nightmare has a governance cause ... and yet it could be seen as a means to release or stimulate free-thinking creativity. That would be fine if we didn’t have a mountain of more tedious and important, even urgent work on our plates already (27002 revision, 27005 re-revision, IoT security, cloud security, blah blah blah), or if the creativity extended to re-designing the way the committee operates. Adding yet more stuff to the top of the pile really isn’t helping matters. Or, to invert the simile, it’s tough to dig your way out of a hole ... so stop digging!
An invitation to committee members to get involved with this project received not a single positive response at first, then one lonely response at the second request.
Then there’s this: “ISO/IEC JTC 1/SC 27/SWG-T recommends to take the appropriate steps to make the new SC 27 Standing Document 19 Risk management resource library publicly available within SC 27.” So is the “Risk Management Resource Library” the same as the “risk handling library” or something else again?
There are shades of the People’s Front of Judea.
Meanwhile, a Technology Task Force has been proposed to coordinate and clarify the vocabulary within all of SC 27’s standards and, in due course, globally when the standards are published and used. At least, that’s what I think it is meant to do: its scope and purpose has yet to be defined. Perhaps SC 27 needs a TTF scope and definition project?
Information Security Library, ISL (SP)
A project is studying the need for an Information Security Library standard explaining how all the standards within the remit of SC 27 fit together, and how organizations might choose to use them [which sounds to me a lot like the overview function of the present ISO/IEC 27000, albeit perhaps extending beyond the ISO27k standards to include privacy, identity management etc.]. Internally within SC 27, the ISL would drive the continued development of the standards, envisaging an accelerated timeframe for the more dynamic technology-driven IT security elements relative to the slower-evolving business-driven information security and governance parts.
A draft of SC 27 Standing Document 16 suggests developing the ISL as (in effect) a roadmap for SC 27’s activities. Maintaining/updating and extending Annex A of ISO/IEC 27001 would become the focal point of many if not all of SC 27’s projects.
Cybersecurity maturity model
A project has been proposed to develop a maturity model covering cybersecurity, defined inter alia as “preservation of confidentiality, integrity and availability of information in the Cyberspace”.
Personal comments: unfortunately, ‘the Cyberspace’ is poorly and inconsistently defined and quite obscure, hence it is far from clear what the maturity model would actually cover. I’m unsure who would benefit from such a maturity model anyway.
The following study periods have ended: ex-SPs, they are no more
Guidelines for cyber resilience SP
A study period is ongoing on ‘cyber resilience’ or ‘Cyber resilience’ or ‘Cyber Resilience’ (various forms are used). The term is unclear, so one of the jobs for the study will (hopefully) be to define it, along with ‘adverse cyber events’ ....
Quoting from the call for contributions: “Cyber resilience refers to the ability (of an organization, business process or system) to continuously deliver the intended outcome despite adverse cyber events. Organizational resilience refers to the adaptive capacity of an organization in a complex and changing environment (ISO 22300). These definitions will be revisited and are likely to be revised as part of the study period.”
An interim report on the study period suggested that it might lead to a new standard for a cyber resilience management system, or possibly variants of 27001 or 27002, or a standard on integrating ISO 22301 with ISO27k.
An outline/skeleton for the standard referred to potentially incorporating the whole of information security management, rather than just the activities associated with maintaining critical business activities through and despite incidents affecting IT systems and networks ... calling into question the scope and purpose of this project.
A report from the SP noted the intention to use ISO/IEC 27009 to develop a sector-specific version of ISO/IEC 27001 specifically for resilience - a curious interpretation of the phrase “sector-specific”. If it got the green light, it would have produced a technical specification rather than an international standard, providing “guidance on the role and contribution played by ISO/IEC 27001 and ISO/IEC 27002, as well as other relevant standards, in building an organisational capability for cyber resilience.”
Despite the extended period, the call for comments failed to drum up ANY enthusiasm for this standard, with NO (0, zero, naught, null, nil, nada, nowt) contributions received. How this SP ever came into existence in the first place is one of life’s mysteries, shrouded behind the committee's governance arrangements.
Rather than simply kill it off, the moribund project has been merged with WG1’s other cybersecurity study periods.
Personal comments: this duck is dead, floating inexorably towards the weir. A reference to ‘adverse cyber events’ did not clarify the meaning of ‘cyber’. The call for contributions unhelpfully referred to “the digital (cyber) domain” as well, adding to the fog of confusion. Furthermore, in the context of information risk and security, ‘resilience’ normally refers to business continuity (the continuation of critical business activities) rather than adaptability, hence the initial definition was not exactly helpful. In short it was ill-conceived.
Maybe the second edition of ISO/IEC 27031 will nail it?
The study period resolved to:
- Continue discussing and refining the definition of “cybersecurity” as an area within information security.
- Use the form “cybersecurity“ not “cyber security” nor “cyber-security”.
- Develop a communications/outreach program explaining what cybersecurity is, and how it is largely satisfied by ISO27k.
- Develop an international cybersecurity framework standard.
- Include "cyber resilience" in some form, perhaps referring it ISO 22301
Personal comments: in practice, ‘cyber’ is used informally to refer to computing/IT, the Internet, serious nation-state or terrorist attacks on critical national infrastructures, artificial intelligence, electronics, robots, and no doubt other quite distinct things. These are not merely minor differences of interpretation or emphasis. They have markedly different implications for information risk and security.
< Previous standard ^ Up a level ^