Slogging away tediously for 3 full days, I've caught up with a 3-month backlog of emails from the ISO/IEC JTC 1/SC 27 committee, picking out and checking through all the ISO27k-related items and updating our website. It's a laborious process but worth it, I think, to keep up with developments, especially as the ISO27k standards will feature heavily in July's NoticeBored awareness module on security frameworks.
Here's a potted selection of news highlights on the ISO/IEC 27000-series standards:
- 27001 (ISMS) is likely to see some changes in the wording around risks and opportunities, and the Statement of Applicability. Hopefully the end result will be an improvment!
- The 27002 (controls) revision is starting to get to grips with reorganizing and tagging the information security controls. This is going to be a slog ... but at the end of it, there will be more flexibility for users of the standard, for example if you are auditing, reviewing or (re)designing the IT suite, it should be possible to pick out "all the preventive, physical security controls" without having to pore through the entire standard.
- A stop-gap minor update to 27005 (risks) should surface later this year, at last, while work progresses on the full revision in parallel.
- 27034 (appsec) is falling into place: this multi-part standard describes a highly structured method for managing the information security controls within a software development function, with fascinating features such as proper architecture, specification, design, hardening, testing and parameterization of controls. Users of the standard are encouraged to invests in building inherently strong controls, then reaping the rewards by re-using those controls in multiple applications or situations - a fascinating approach, one that some organizations are already using. It works!
- The development of 27045 (big data security) is just starting. I suspect 'big data' actually means 'complex IT systems' to the project team, rather than truly vast amounts of data, but I could be wrong. Either way, it is a brave move to develop security standards in this evolving area.
- The fun continues with 27100 and others on "cybersecurity", particularly as none of the existing or developing ISO27k cyber standards adequately define the terms. The committee appears to be drifting vaguely towards the area of basic Internet security (despite that being adequately served by existing ISO27k standards), although some remain curiously obsessed with "the Cyberspace" (whatever that actually means: the formal definition is distinctly unhelpful and bears little relation to what most people think cyber is all about) while critical infrastructure protection against cyberwarfare (a dramatically different interpretation of cyber in government and defense) is poorly addressed within ISO27k.
- IoT security standards are showing some signs of life. It's early days though involving lots of interaction with other committees and industry bodies actively developing the technology standards behind IoT.
- Privacy and information security are quietly sliding closer together. A number of new ISO27k standards will cover privacy matters, and the committee is considering a change of name from "IT Security Techniques" to "Information Security and Privacy" (or possibly something to do with cybersecurity, perhaps "Protecting the Cyberspace"?!). There is a substantial overlap between these areas, not 100% though.
For more info on these and other ISO27k news items, please browse ISO27001security.com or contact your national standards body for details of the shadow-committee slaving away on SC 27 matters.