Welcome to the SecAware blog

I spy with my beady eye ...

25 May 2021

Stepping on the cracks

Anyone seeking information security standards or guidance is spoilt for choice e.g.:

  • ISO27k - produced by a large international committee of subject matter experts and national representatives  
  • NIST SP 800 series – well researched, well written, actively maintained ... and FREE!
  • IT Grundschutz - a typically thorough Germanic approach, to the point of absurdity (4,800 pages!  It's encyclopaedic!)   
  • CSA - cloud security guidance is their home turf
  • COBIT - takes a deliberately different perspective on 'risk' and 'control' 
  • Secure application development standards such as those from OWASP 
  • IT standards and methods as a whole: relevant because IT or cyber security is clearly a big part of information security 
  • HR, physical security, privacy and business continuity standards and methods as a whole: filling-in the substantial gaps in IT or cyber security 
  • Risk management standards, the best of which at least mention the importance of identifying and managing information risks
  • PCI DSS - not really an infosec standard so much as a contractual mechanism forcing organizations using credit cards to play their part in maintaining card security, but hey it has "data security" in the title 
  • Myriad laws and regulations, such as GDPR on privacy, copyright and patents protecting intellectual property, computer misuse/anti-hacking laws, anti-fraud laws, contracts and contract law governing obligations agreed between parties ... and loads more ... [IANAL]

Studying these is hard work. Aside from simply keeping up with developments as they all evolve in parallel, taking in their distinct perspectives on essentially the same area plus often subtle difference in their use of language consumes a lot of brain cycles

Naturally there is a lot in common since they all cover [parts of] information security. Commonality and consensus reinforces the conventional approaches of 'generally accepted good security practices', and fair enough. Personally, however, I am fascinated by the differences in their structures, emphasis and content, reflecting divergent purposes and scopes, authors, histories and cultures.

Some focus on the paving slabs. I'm looking out for the cracks.  

ISACA's COBIT, for instance, emphasizes the business angle (satisfying the organization's objectives), whereas various certification standards, laws and regs emphasize the formalities of specification and compliance, addressing societal aspects of information security. At the same time, privacy concerns the rights and expectations of the individual. Three different perspectives.

The recently-published ISO/IEC TS 27570 "Privacy guidelines for smart cities" neatly illustrates the creativity required to tackle new information risks arising from innovation in the realm of IoT, AI and short range data communications between the proliferating portable, wearable and mobile IT devices now roaming our city streets. Likewise with the ongoing efforts to develop infosec standards for smart homes and offices. 

There are opportunities as well as risks here: striking the right balance between them is crucial to the long term success of the technologies, suppliers and human society. Spotting opportunities and responding proactively with sound, generally-applicable advice is an area where standards can really help. It's not easy though.

24 May 2021

News on ISO/IEC 27002

Today I’ve slogged my way through a stack of ~50 ISO/IEC JTC1/SC27 emails, updating a few ISO27001security.com pages here and there on ongoing standards activities.

The most significant thing to report is that the project to revise the 3rd (2013) edition of ISO/IEC 27002 appears on-track to reach final draft stage soon and will hopefully be approved this year, then published soon after (during 2022, I guess).  

The standard is being extensively restructured and updated, collating and addressing about 300 pages of comments from the national standards bodies at every stage.  The editorial team are doing an amazing job!  

The new ‘27002 structure will have the controls divided into 4 broad categories or types i.e. technical, physical, people and ‘organizational’ [=other]:

For comparison, the standard is currently structured into 13 security domains:

‘27002 will nearly double in size, going from 90 to 160 pages or so, thanks to new controls and additional advice including areas such as cloud and IoT security.  Virtually all of the original controls have been retained but most have been reworded for the new structure and current practice … and there’s an appendix mapping the old clauses to the new. 

27001 Annex A is being updated to reflect the changes, and a new version of that standard is due to be published in the 2nd quarter of 2022.  

presume other standards based on ‘27002 (such as ‘27011 and ‘27799) will also be revised accordingly, at some point.