ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development instructions
As a Technical Specification, the standard (an architecture for cybersecurity) offers guidance to organizations developing cybersecurity frameworks, which are conceptualized as basic terms, formats, and mechanisms for managing, communicating, and organizing cybersecurity activities.
The scope of the standard
In this document, the intended goal is to ensure that a minimum set of concepts is used to describe security frameworks, for the benefit of cybersecurity framework creators and users alike.
Content of the standard
7 Developing a cybersecurity framework
Annex A: Outlines the inputs, processes, and outcomes of each step of the identification, protection, detection, response, and recovery processes.
Annexe B: “Considerations in the integration of a cybersecurity framework”, unclear goal.
Annexe C: a listing of cybersecurity frameworks, mostly national
The standard’s status
The standard was released as a Technical Specification in February 2021.
It’s hard to imagine who this standard is targeted at or what its purpose is. Who does it serve, and what does a “cybersecurity framework” entail? How is the burden to be lightened, and what are the characteristics of the burden?
As stated in the introduction, “business groups, government agencies, and other organizations produce documents and tools called cybersecurity frameworks to help organize and communicate cybersecurity activities of organizations”.
I don’t have any “cybersecurity frameworks” in my toolbox, so I assume this standard isn’t aimed at me;
– “Cybersecurity” is not defined in the standard. Another ISO27k project claiming to be about cybersecurity deliberately avoids defining the term, using abstract language to deceive rather than clarify. So much for international standards pushing back the boundaries;
– The distinction between “creators” and “implementers” of “cybersecurity frameworks” indicates a standard waterfall approach, in which one party identifies requirements and designs a solution (the “framework”) which is then carried out by another party. It does not seem that the process might be iterative and that both phases would require appropriate governance and management. As the standard does not provide specifics, I am assuming that the intended audience is framework creators;
– The “concepts” (as defined in the standard) that should be a part of a cybersecurity framework” reflect the standard pre-, para- and post-incident phases, providing a simplistic timeline. The problem here isn’t particularly complex. But the standard does not attempt to explain why these specific ‘concepts’ need to be included in it, and ignores that there may be other possible ‘concepts’ (for instance, ISO/IEC 27001, which is only one of several);
– In Annex C, examples suggest a “cybersecurity framework” might serve as a strategic approach to managing (most likely information technology-related) threats to critical national infrastructures, further implying that “cybersecurity framework builders” are usually government officials. Yet again, I’m squinting between the lines, looking for crumbs of perspective.
As of right now, there is no clear relationship between a cyber-security framework and traditional ISMS. I am suspicious that these “documents and tools” are intended to be used in conjunction with a management system, even though the draft standard states “This document is not intended to supersede or replace the requirements of an ISMS given in 27001”.
Cynically speaking, this seems to be a politically motivated effort to align ISO27k with – or maybe amend ISO27k to reflect NIST’s CyberSecurity Framework, in particular. If organizations prefer the CSF, they should feel free to use it, so why change ISO27k, especially with a buzzword like “cybersecurity” that constantly defies definition? My heart is breaking!