Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Apr 11, 2011

ISO/IEC JTC1/SC27 meeting report 1

I'm writing this report during the first day of the SC27 meeting in Singapore not as a detailed or formal report, rather as an informal, personal summary of events and news so far specifically in relation to the ISO/IEC 27000 family of standards (which are only part of the agenda for the meeting). Although the meeting has several parallel streams, I cannot be in more than one place at once, but chatting to SC27 colleagues who have attended other sessions can help fill-in the gaps to some extent. Furthermore, this is a dynamic and complex environment: things are changing as I write this sentence - literally. There are informal discussions ongoing in front of me concerning the scope and nature of a standard that we have just been discussing, and other parallel sessions are going on in other rooms.

Anyway, with that background, it's time to spill the beans on day 1 so far.

The revisions of ISO/IEC 27001 and 27002 have been the primary items of interest, mostly because of the large number of comments received on both. The sheer volume of input makes the editors' job tough as they need to make sure that all comments are addressed to the satisfaction of the national standards bodies that made them. There is not physical time to discuss them all in detail, so some level of consolidation, rationalization and prioritization needs to occur, and that makes the editor's job even harder. It's a bit of a juggling act to get right through the agenda and yet to give each of the comments and discussion sufficient time for due consideration at the meeting.

Pressure from ISO/IEC JTC1 level to align all the management systems standards to a common structure is bound to affect the way that ISO/IEC 27001 is revised. Meanwhile, there is some concern about whether all these changes are sensible and if not how we might feed concerns back to the JTC1 body responsible. This will develop during the week.

Various other ISO27k standards appear to be progressing well. The editors' progress reports referred to getting helpful comments from the national bodies, useful input and movement in the right direction. I have not noticed any big issues so far but again who knows what may pop out of the woodwork during the week ahead.

ISO/IEC 27016 on the economic side of information security is at an early stage. We have had a worthwhile discussion about the scope, structure, purpose and audience for this standard, prior to discussing the detailed comments received.

I understand that ISO/IEC 27014 on information security governance was intently discussing terminology and concepts this afternoon which again seems appropriate at this early stage of the standard's development.

That brings up a broader ongoing dicussion about clarifying and defining the terms used in the ISO27k (and in fact other SC27) standards. Those of you who only see the finished, published versions of the standards may not always appreciate the amount of discussion that goes on around the terms. It is extremely difficult to keep all the standards in alignment on terminology while the standards and concepts are still developing and being clarified. These are moving targets. The issue goes even further out than SC27, since various other ISO/IEC committees and bodies are also developing standards at the same time, and wherever possible we prefer to adopt definitions that are in common use or are formally defined elsewhere. In practice, however, this is awkward because contexts often differ. "Risk" for example, has different detailed meanings in relation to information security, economics, health and safety, environment etc. Finding and exploiting the areas of commonality, and addressing any discrepancies, requires broad knowledge, experience and creativity. It's definitely a challenge.

This evening, we will be discussing a proposed security standard for cloud computing. It will be fascinating because:
- Cloud computing is 'new' and actively developing;
- Cloud computing security is even less well advanced;
- There is widespread agreement that information security and privacy are very important in the cloud computing context (although we may not always agree on the details behind that broad-brush statement);
- There are already some useful sources of advice on 'securing the cloud', which means we have some donor content to work with (e.g. the CSA, ENISA and NIST stuff on this topic);
- We have the opportunity to discuss the concepts, scope etc. at this early stage, before the standards development work starts in earnest.

OK, that's my input from today. I will try to continue this tomorrow and every day this week. Comments and questions are very welcome and I will try to address them as I go, but I am not intimately involved with all the work going on here so please forgive me if I don't have all the answers.

Gary (Gary@isect.com)