ISO/IEC 27010:2015 – Information technology – Security techniques – Information security management for inter-sectoral and inter-organizational communications (2nd edition)
The purpose of this document is to outline the common requirements for sharing information about security risks, control issues, issues that cross sectors as well as nations, particularly those that affect critical infrastructure.
The ISO/IEC 27010 standard explains information security interworking and communications between industries in the same industry, between industries of different types and between companies and governments, either in times of crisis and to protect critical infrastructure or to meet legal, regulatory, and contractual obligations under normal business conditions.
Overview and rationale
The sharing of confidential information about information-related threats, vulnerabilities, and/or incidents can sometimes be necessary, for instance when private companies, governments, law enforcement and CERT-type organizations collaborate on analysis, evaluation, and resolution of serious organizational-level and sometimes international cyberattacks. The recipient organization may have to restrict access to such sensitive information, for example, because it is often very sensitive. Sources of information may need to remain anonymous to be protected. Normally, these information exchanges occur in highly charged, stressful, and time-stressed environments — not the best environment for establishing trust and setting up effective security controls. Providing common ground rules for the secure handling of data is a key purpose of this standard.
This standard is geared towards providing methods, models, processes, policies, controls, protocols, as well as other mechanisms for securely sharing information among trusted counterparties based on the understanding that key information security principles will be adhered to.
The standard’s status
Following its first release in 2012, ISO/IEC 27010 underwent some minor editing to align it with the 2013 versions of ISO/IEC 27001 and 27002.
2015 marked the publication of the second edition of the book.
SC 27 ratified it in 2021 for another five years.
Although the exact information risks that may arise from sharing information concerning information security incidents among disparate organizations will of course depend highly on the specifics of the situation (for example, how they arise, who is involved, who is affected, etc. ).
The following generic list exemplifies the broad range of important issues that should be considered:
– Ensure information security is taken into account (for example, developing policies and procedures, while training and raising awareness of the processes involved, and possibly conducting independent assessments or audits to ensure compliance with ISO/IEC 27010 as well as other ISO27k standards, including 27001, 27002 and 27005);
– Disseminating initial information and knowledge about the situation in advance of formalizing the arrangement. In doing so, recipients are encouraged to think about their roles and the disclosing parties should think carefully about the implications of further disclosure.
– Establishing and strengthening trusting relationships between those involved, collaborating and communicating with each other;
– Building trust with other organizations that are also involved (for instance, if communications are routed through an intermediary) or connected somehow, such as business partners and those that may be required to be informed or involved as part of the process;
– Identifying and defining information security requirements (this likely involves a risk assessment by the disclosing party as well as perhaps the receiving party);
– Explaining clearly the risks, obligations, expectations, and liabilities associated with information security (including the use of a lexicon of terms derived from ISO27k and comparable classifications);
– Assessment and acceptance of security risks and responsibilities (for example, in a contract or contract-like entity whose existence and content may also need to be kept confidential);
– Maintaining the security of information (by using appropriate cryptographic methods), avoiding its loss, interception, deletion, spoofing, duplication, repudiation, damage, modification or being misunderstood by third parties;
– The use of version controls and appropriate authorisations for both the disclosure and the acceptance of valuable information is essential;
– Identifying the risks and controls related to the collection, analysis, ownership, protection, and forwarding of information about the situation (including limitations preventing the information from being used for purposes unrelated to the current incident);
– Adequately protecting the information, as well as possibly other assets that belong to the recipient organization or individual;
– Compliance with regulations and, where necessary, enforcement activities such as the imposition of penalties, etc. when promises are breached, trust is misplaced, and accidents occur;
– Due to risk assessment, security activities, or other constraints, unacceptably long delays in the communication of important information;
– The impact of collection, handling, storage, analysis, and presentation of forensic evidence;
– Restrictions on post-incident disclosures, such as incident management reports, press releases, and legal actions.;
– Expanded trust and more secure arrangements between parties through a systematic process improvement.
Unfortunately, the published standard does not explicitly cover these aspects. The report would have been more valuable and comprehensive if it had been.