Welcome to the SecAware blog

I spy with my beady eye ...

15 Jul 2016

ISO/IEC 27000:2016 available for FREE download

Title page of ISO/IEC 27000:2016

Like its predecessors, the 2016 fourth edition of ISO/IEC 27000 has been released for FREE.  It can be downloaded in both English and French.

Whereas I regret to say that ISO/IEC charges for most of the ISO27k standards, ISO/IEC 27000 is FREE in order both to spread a common understanding of information security terms, and to outline the whole family of ISO27k standards. This is not some ripped off pirated version but a legitimate publication by ISO/IEC.

The definitions in ISO/IEC 27000 apply throughout the ISO27k standards except where terms are explicitly redefined in the individual standards: generally those explicit redefinitions are refinements in the specific context of a single standard, or variations required to align with ISO standards outside the ISO27k family. 

A few of the official definitions are rather curious and narrow - for instance I believe the definition of 'integrity' as 'property of accuracy and completeness' is referring to data and system or process integrity, but not personal integrity - which is, for sure, a core concern in relation to information risk and security, for instance in fraud and insider threats. Integrity is also about trustworthiness, grit, honesty and ethics.

A few definitions are grammatically weak, and perhaps technically wrong - for instance 'authenticity' is defined as 'property that an entity is what it claims to be' whereas a fake (unauthentic) Gucci handbag doesn't "claim" anything: it is just a fake handbag. The people who made and/or sell it claim (falsely assert) that it is Gucci, but the handbag itself is merely a branded inert object, incapable of making claims as such. This is a classic example of where a conventional dictionary does a better job than ISO/IEC 27000, for such commonplace terms anyway. The editors of ISO/IEC 27000 really ought to go through the glossary, pulling out such everyday terms (and citing a suitable dictionary), leaving behind only the specialist 'terms of art', most of which I suspect will be multi-word terms or phrases.

Some important terms (such as 'information asset') are undefined, largely I suspect because the committee cannot agree on the definitions, but possibly because someone has decided that the dictionary will suffice. 'Information security risk' is another undefined and strange term, common throughout the ISO27k standards. I hope it will eventually be replaced by the much more intuitive and sensible term 'information risk' with a suitable, straightforward definition, something along the lines of 'risk involving or relating to information'.

Whereas neither 'information security risk' nor 'information risk' are defined as phrases, 'information security' and 'risk' are defined separately, along with 'information security event', 'information security incident', 'information security incident management' - oh and 'information security continuity' which apparently means the processes and procedures (both, you understand: don't go thinking one or the other is enough) ensuring the continuance of information security operations (which - yes you gessed it - remains undefined).  

Overall, though, while we (well OK, I) may bicker about specific issues, gaps and inconsistencies, it is a Good Thing that terms are consistently and formally defined.  And, hey, at least it's FREE!


PS  One other ISO27k standard is also free, namely ISO/IEC 27036-1 on information security in supplier relationships (including cloud security, sort of).

1 comment: