ISO/IEC TS 27022:2021 – Information technology – Guidance on information security management system processes
The standard (a Technical Specification) “presents a Process Reference Model (PRM) for Information Security Management, distinguishing ISMS processes from the measures/controls initiated by them, and explains the ISMS processes outlined in ISO/IEC 27001.”
A PhD thesis from the Universidad Carlos III de Madrid in Spain forms the basis of the standard.
Object of study
This standard aims to guide users of ISO/IEC 27001 to:
– Include procedures as outlined in clause 4.3 of ISO/IEC 27000:2018 within ISMSs
– Coordinate with all the work done under other ISO/IEC 27000 standards from the perspective of ISMS processes
– assist users in implementing an ISMS – the document will complement ISO/IEC 27003’s requirements-based perspective with operational, process-oriented viewpoints.”
There are no new requirements in the standard beyond those already defined in ISO/IEC 27001. It is therefore advisory and not mandatory.
Scope and Objectives
Specifically, the standard outlines a Process Reference Model, which includes a generic suite of ISMS processes that organizations may feel comfortable using as a basis for developing customized processes within their own ISMS.
The structure and content
ISMS processes can be categorized into 3 different forms (types or groups), namely:
– Governance-related activities (confusingly described as “management processes”) – Oversight and direction for ISMS;
– Core functions, such as information risk management, policy management, incident management, internal auditing; and
– Support, such as records management, providing information to interested parties about ISMS, managing relationships with ISMS consumers …
Each process is outlined in an Appendix, first as a table stating:
– The process category identifies what type of process it is
– A brief overview
– Purposes and objectives
– Inputs and Outputs
– Activities and functions, i.e., a description of what each step involves
– References that provide useful information.
The flowchart summarizes the process on one side or less after the table.
The standard’s status
A great deal of the content contributed by donors enabled the drafting process to move quickly in 2018.
In March 2021, ISO/IEC TS 27022 was published.
An ISMS viewed as a framework of processes isn’t a revolutionary idea. It is typical for organizations that are reasonably mature to have processes in place for:
1. Management of the assets;
2. Internal and external audit management;
3. Continuity of business management (based on ISO 22301);
4. Configuration management and version control, along with change management;
5. Systematically improving and managing maturity;
6. Program [security] management;
7. Exemption management (noncompliance with policies approved by management);
8. Management of the computer room’s facilities, including the power supply and other services;
9. Management of identities, access rights, and user accounts;
10. Incident management, including incident investigation and forensic analysis;
11. Information management as a whole;
12. Information security risk management (partially covered by ISO/IEC 27005);
13. Information security management (as defined by ISO/IEC 27001, 27002, 27003 and others);
14. Information Technology
15. Audits of internal processes and certification audits;
16. Cryptography, including key management;
17. Managing logs and receiving alerts and alarms;
18. Management information and management metrics (partially covered by ISO/IEC 27004);
19. Supervision and monitoring of security arrangements and risk management;
20. Patching, including dealing with urgent fixes through emergency arrangements;
21. Capacity management and performance management;
22. Human resource management, which includes “onboarding” and “offboarding”;
23. Preventive and corrective actions;
24. Quality assurance, specifically quality management;
25. Service management [organizations that are highly oriented toward processes are likely to use ITIL/ISO20000, which means ISO/IEC 27013 is applicable];
26. Relationship management with suppliers and vendors, among them telecom, Internet and cloud services, outside development, contract security guards, maintenance/services, professional services/consulting/contracting, etc.;
27. Network and system [security] management;
28. Testing and development of systems and software… and beyond.
Giving general advice that is not stifling is difficult. There must be a way to describe the processes while maintaining flexibility to cater to the many differences among organizations.
For a process to justify its existence, it needs to be valuable (cost-effective) in practice, for example:
– Eliminating unnecessary bureaucracy, rationalizing and justifying what remains;
– Leveraging automation and innovation where relevant;
– Facilitating or encouraging the use of existing processes, and adapting them as needed;
– Repurposing efficient ISMS processes through other departments or units in the organization;
Manage the processes themselves, including analyzing, evaluating, monitoring, and maintaining them, responding to changes, and identifying opportunities for improvement.
While the overall project has been approved, there have been oppositions during the writing to an implication that ISMS processes stand apart from routine operations in the organization, rather than being integral parts of it. As a rule, the process for handling information security or privacy incident is essentially the same as for handling any other incident. Therefore, it is not necessary to create a parallel incident management process if the existing one (maybe with a few tweaks) is sufficient. Rather than being mandatory, the standard should be considered advisory and is not to be used “out of the box” without keeping it relevant to the implementing organization (see section 4 of the draft).