ISO/IEC TR 27103

ISO/IEC TR 27103:2018 – Information technology — Security techniques — Cybersecurity and ISO and IEC standards

Introduction

In the case of “cybersecurity,” which is simply the component of information security that relates to IT, existing information risk and security standards are directly applicable.

As specified in ISO/IEC 27001 and other ISO27k standards, an Information Security Management System is generally considered a comprehensive management system, governance framework, or organizational structure for managing information risks, including those relating to IT and the Internet.

The scope of the standard

As part of the cybersecurity framework, this document offers guidance on how to leverage existing standards.

The content

The purpose of this document is to explain why it is important to have risk-based, prioritized, flexible, outcome-focused, and communication-enabled cybersecurity frameworks. The document goes on to describe the objectives of a strong cybersecurity framework and to map these objectives to existing standards that can be used.

By using an arbitrary structure, it refers to relevant ISO and IEC standards to the first-level clauses (for example, clause 9.3 of ISO/IEC 27001:2013) based on their relevance to cybersecurity.

The standard’s status

Published in 2018 as a Technical Report, the standard addresses several topics.

Due to a large number of references to existing standards, ANSI proposed releasing the standard free of charge. Unfortunately, this did not happen.

Commentary

The goal of the project was to develop a standing document for SC 27 that explained how ISO27k and other ISO and IEC standards can be usefully applied to cybersecurity. In the end, however, it produced an ISO27k Technical Report that failed, like ISO/IEC 27032, to define the terms “cybersecurity”, “cyber risk” and “cybersecurity framework”.

A lack of precise terminology makes this standard inherently unhelpful and problematic. By saying things like “Cybersecurity is a relatively new discipline”, you perpetuate and even accentuate the myth that cyber means something different and unique. To what do we compare it – the abacus? Do you mean stone tablets? What about balls and chains?

‘Cyber’ is too hot, too fast, too trendy, it seems.

ISO/IEC JTC1/SC 27 has the potential to:

– Determine a consensus definition of cyber and related terms, defining the differences from existing terms such as information security (or information risk), as well as the categories (for instance, is cyber information technology, systems, networks, technology, the Internet, external threats simply marketing hype, a war-related issue, or something else? No one knows for sure);
– Outlined and clarified the fundamental principles of managing (evaluating, assessing, and treating) cyber risks (for me, there is little difference in the fundamentals);
– Provided an analysis of the extent to which existing ISO27k standards cover this area of work, and identified any weaknesses or gaps for which additional guidance might be appropriate.

Even though the standard was published (it was a technical report) I think that it retards rather than advances the state of the art. Essentially, this was a wasted effort and an opportunity lost for a committee that aimed to be a leader in its field.