Connect with us

Hi, what are you looking for?

Cyber Security

ISO/IEC TS 27110

ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development instructions

Introduction

As a Technical Specification, the standard (an architecture for cybersecurity) offers guidance to organizations developing cybersecurity frameworks, which are conceptualized as basic terms, formats, and mechanisms for managing, communicating, and organizing cybersecurity activities.

The scope of the standard

In this document, the intended goal is to ensure that a minimum set of concepts is used to describe security frameworks, for the benefit of cybersecurity framework creators and users alike.

Content of the standard

5 Overview

6 Concepts

6.1 General

6.2 Identify

6.3 Protect

6.4 Detect

6.5 Respond

6.6 Recover

7 Developing a cybersecurity framework

Annex A: Outlines the inputs, processes, and outcomes of each step of the identification, protection, detection, response, and recovery processes.

Annexe B: “Considerations in the integration of a cybersecurity framework”, unclear goal.

Annexe C: a listing of cybersecurity frameworks, mostly national

The standard’s status

The standard was released as a Technical Specification in February 2021.

Commentary

It’s hard to imagine who this standard is targeted at or what its purpose is. Who does it serve, and what does a “cybersecurity framework” entail? How is the burden to be lightened, and what are the characteristics of the burden?

As stated in the introduction, “business groups, government agencies, and other organizations produce documents and tools called cybersecurity frameworks to help organize and communicate cybersecurity activities of organizations”.

I don’t have any “cybersecurity frameworks” in my toolbox, so I assume this standard isn’t aimed at me;
– “Cybersecurity” is not defined in the standard. Another ISO27k project claiming to be about cybersecurity deliberately avoids defining the term, using abstract language to deceive rather than clarify. So much for international standards pushing back the boundaries;
– The distinction between “creators” and “implementers” of “cybersecurity frameworks” indicates a standard waterfall approach, in which one party identifies requirements and designs a solution (the “framework”) which is then carried out by another party. It does not seem that the process might be iterative and that both phases would require appropriate governance and management. As the standard does not provide specifics, I am assuming that the intended audience is framework creators;
– The “concepts” (as defined in the standard) that should be a part of a cybersecurity framework” reflect the standard pre-, para- and post-incident phases, providing a simplistic timeline. The problem here isn’t particularly complex. But the standard does not attempt to explain why these specific ‘concepts’ need to be included in it, and ignores that there may be other possible ‘concepts’ (for instance, ISO/IEC 27001, which is only one of several);
– In Annex C, examples suggest a “cybersecurity framework” might serve as a strategic approach to managing (most likely information technology-related) threats to critical national infrastructures, further implying that “cybersecurity framework builders” are usually government officials. Yet again, I’m squinting between the lines, looking for crumbs of perspective.

As of right now, there is no clear relationship between a cyber-security framework and traditional ISMS. I am suspicious that these “documents and tools” are intended to be used in conjunction with a management system, even though the draft standard states “This document is not intended to supersede or replace the requirements of an ISMS given in 27001”.

Cynically speaking, this seems to be a politically motivated effort to align ISO27k with – or maybe amend ISO27k to reflect NIST’s CyberSecurity Framework, in particular. If organizations prefer the CSF, they should feel free to use it, so why change ISO27k, especially with a buzzword like “cybersecurity” that constantly defies definition? My heart is breaking!

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

Latest Post

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

You May Also Like

Compliance

The task to be performed ISO 27001 Clause 10.1 Nonconformity and corrective action, Clause 10 which includes sections 10.1 and 10.2 covers the “Act”...

Compliance

ISO/IEC 27034:2011+ – Information technology – Security techniques – Application security (all published except part 4) Introduction Business and IT managers, developers and auditors,...

Compliance

The article discusses Compliance with Legal and Contractual Requirements, Identification of Applicable Legislation and Contractual Requirements and Intellectual Property Rights accordingly controls.A.18.1 Compliance with...

Cyber Security

ISO/IEC 27551 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication [Draft] Introduction Attribute-Based Unlinkable Entity Authentication permits formal...