Today we ended our editing of ISO/IEC 27002 having discussed sections 10 through 15 during the week [the earlier sections having been covered in the previous SC27 meeting]. Yesterday, we worked until 10pm to try to cover as much as possible. We have discussed literally hundreds of comments and proposed changes to the standard: I don't propose to detail them all here but will mention a few specifics that are close to my heart:
- Structure: many information security controls are relevant to several chapters of the standard, and could therefore be included in several places. However, the duplication is unhelpful, and wording differences due to the different contexts can be confusing for readers, so as a general rule, we try to describe the controls just once where most relevant and, if appropriate, cross-reference them from the other sections. This process broke down for the change management control which is currently in both the Operations and Development sections of the draft standard. I hope this anomaly will be resolved in the next round of comments.
- New controls: we have agreed to incorporate new controls for integrating information security into the entire systems development lifecycle and security requirements for specialist systems. The former is straightforward. The latter concerns the need to seek specialist advice on the security aspects when developing SCADA/ICS and embedded systems, various systems having health and safety implications etc.
- Referencing other standards: where appropriate, we propose to reference relevant standards (particularly other ISO27k standards) that provide more specific and detailed advice on certain controls rather than detail them in 27002 - for example, network security is being covered by ISO/IEC 27033 and so much of the existing 27002 text on network security can be dropped (more or less) and referenced from 27002. However, we may retain any 'management controls' or security issues that require management involvement in 27002, and will [hopefully] provide enough of an introduction to the detailed standards to help readers determine whether they need to obtain and consider them. Section 14 on business continuity management for example will most likey refer to ISO/IEC 27031 and ISO 22301, and perhaps BS25999 and BS25777, which will cut down on the amount of detail needed in section 14. This is a bit tricky due to the parallel development, release and updating of various standards, so the final referencing will be left until the end of the 27002 revision process.
- Deleted controls: some rather narrowly-defined and/or obsolete controls have been dropped, albeit sometimes still-relevant parts of the content have been incorporated into other controls.
- Definitions: the definition of "information asset" has caused some consternation as the phrase sometimes has differing implications in different contexts. The current proposal is to drop the definition, reverting to the dictionary definition and so allowing some flexibility to suit the context.
Moving on, parallel meetings have been working on many other ISO27k standards this week. I have updated the respective pages for them on the ISO27k.org website.
OK, this concludes my report from the SC27 meeting after a long and productive week's work. If you have any questions or comments, please join the discussion on the ISO27k Forum or email me directly. I will get back to New Zealand on Monday afternoon and have a lot of catching up to do during the rest of the week so meanwhile please don't expect an instantaneous response!