ISO/IEC TS 27100
ISO/IEC TS 27100:2020 – Information technology — Cybersecurity — Overview and concepts
As per the standard (in fact, a technical specification):
“Cybersecurity is a broad term used differently throughout the world. This document defines cybersecurity, establishes its context, and describes relevant concepts, including how cybersecurity is related to and different from information security.
Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Many of the information security controls, methods, and techniques can be applied to manage cyber risks.”
The scope of the standard
The purpose of this document is to provide an overview of cybersecurity.
Content of the standard
Several concepts about cybersecurity and cyber risk management are presented in the standard, and they are contrasted against information risk and security management.
At the end of 2020, the standard was published.
On two parallel planes, it seems, two cyber worlds exist simultaneously:
1. Vital national infrastructure: an important concern for government and defence is how to protect vital national infrastructure from terrorism, foreign powers, and various other threats coming from the Internet. That’s scary! There is a vested interest on the part of those that are developing offensive capabilities in this area to ensure others do not develop their defensive capabilities … it appears that some are intentionally spreading confusion and frustrating attempts to ensure clarity in this area (using this international standard, for example). It’s a tactic to delay the process.
2. Internet, network, and IT security are the same as they always are: protecting digital data against deliberate attacks in general. Essentially, this is just an everyday aspect of information security. Please move on, there’s nothing there to see.
By muddying up the waters rather than clarifying concepts and terminology, the standard is likely to achieve #1 above.
The document contains 17 pages and I suspect it is destined to be relegated to the sidelines of the information superhighway, despite ISO’s desire to view it as a significant contribution to the field. There’s a claim that “cybersecurity is the evolution of information security” and that the new standard “provides much-needed clarification about the differences and similarities between cybersecurity and information security”: describing cybersecurity as the evolution of information security is strange. I find this rather ironic for something that is supposed to provide clarity…