Other ISO27k standards
As well as the ISO27k standards that have already been assigned numbers, SC 27 has been reviewing ISO27k standards and documents from the internal committee through a series of Study Periods and Preliminary Work Items, culminating (if successful) in New Work Item Proposals, at which point (if approved by SC 27) new standards are assigned an ISO27k number … and corresponding pages are created on this website for them to be posted.
As a reminder: SC 27 projects are inherently volatile at the beginning as research is undertaken to clarify their scope and purpose, obtain relevant inputs (such as additional standards and donor documents sourced from the relevant organizations and national liaisons), and organize sufficient interest and engagement to justify taking the project forward. Due to a large amount of activity going on, it is hard for us to keep track of it all. Therefore, what follows represents mostly individual opinions with many errors and omissions. This is an incomplete and very rough guide – just a heads-up for what to expect at SC 27.
Application of ISO/IEC 27001 family standards in government/regulatory requirements
A document (Standing Document 7) was developed by SC27/WG1 detailing the authorities in various laws and regulations that require or recommend compliance with ISO27k specifications.
The SC27 is being asked whether SD7 should be published as a Technical Report, making it publicly available, possibly for free.
Data life cycle log audit protocol (PWI)
In 2020, the Preliminary Work Item was approved. It is stated that this standard will provide guidelines for managing, using, protecting, and auditing log records throughout the data lifecycle with regards to “log management for data lifecycles, data security events monitoring and early warnings, analysis, and tracing.”
H2: Requirements for auditing and certifying bodies of sector-specific information security management systems (PWI)
The target of the Preliminary Work Item project for 2020 is to audit sector-specific ISMS.
Privacy and security of IoT security systems (PWI)
Preliminary Work Item Teams began investigating the possibility of IoT security and privacy standards in 2020 (such as door locks and CCTV), which would provide additional functionality for existing standards.
IoT Ad Hoc Group
To plan and coordinate the work on IoT security and privacy standards, SC 27 created an AHG in 2020.
An evaluation project started in 2020 on the possibility of a security standard (or perhaps a technical report) for Cyber-Physical Systems, tentatively described as follows:
“an engineering system which integrates the real-time computing, real-time communication and real-time control features into the physical system, realizes perception and control on the physical process relying on the computing process, realizes the seamless combination of the cyberspace and the physical world” [reference: Study Report ISO/IEC JTC 1/WG 10 SRG 7 on Cyber-Physical Systems (CPS) for IoT].
CPS is defined in a preliminary work item available to SC 27 as:
“Linked set of resources and processes composed of interacting digital, analogue, physical, and human components designed for function through integrated physical space and cyberspace”
… followed by:
“The CPS provides a methodology to quantify information such as a huge amount of observation data generated by a sensor network in the real world (physical space) by linking it with strong computing power in cyberspace. In CPS, organization or people can provide various products or services for emerging needs through the use of IoT, and sophisticated use of data collected by IoT systems. Use cases of CPS include energy infrastructures, manufacturing, building control, transportation, home electronics, and others.”
Thus, ‘cyberspace’ looms large once again.
The emphasis is on sensor networks in IoT (or IIoT) and little is said about actuator networks, robotics, etc.
Among the goals of the project are:
– Explain the concept of “Cyber-Physical Systems’’;
– Identify the relevant security concerns [presumably in the area of information risks];
– Create a security reference architecture for CPS [hopefully a set of controls, protocols, and treatments that will address the identified information security risks]; and
– Evaluate potential collaboration partners, i.e. organizations with a stake in CPS’s information security aspects.
Cunningly, many [insecure] CPS will be implemented before definitive reference architectures are drafted.
Organizational Privacy Risk Management (NWIP)
As part of an organizational privacy risk management program, guidance has been proposed to help PII controllers and processors address privacy risks to data subjects.
If an organization has a Privacy Information Management System, the standard facilitates the management of privacy risk.
The analysis of organizational information risk typically focuses on incidents that might compromise the organization, while the analysis of privacy risk focuses on incidents that might compromise an individual’s privacy. Thus, it is crucial to address both types of risks simultaneously.
Network virtualization security (SP)
During the Study Period, the following objectives were intended:
– Explain the concept of network virtualization;
– Analyze applications and related technologies;
– Identify risks and challenges associated with network virtualization security;
– Guide how to implement and/or enhance network virtualization infrastructure, service, control, and resource management.
Among the identified information risks are:
– Virtualization technology poses certain risks
– Host-to-host virtualization vulnerabilities like virtual machine escape
– Virtual machine isolation, operating system vulnerabilities, and physical machine isolation
– Mirror tampering can allow viruses or Trojan horses to infect virtual machines.
– Migration of virtual machines does not synchronize security policies.
– Risks associated with virtual machines and operating systems
– The increased vulnerability of application software
– Security risks posed by the architecture
– Attacks on central controllers/administrators due to hacks or DDoS attacks
– Attacks that use virtual or physical machines as weapons
– Compatibility problems resulting from backward compatibility
– Risks associated with networks and communications
– Problems monitoring virtual machines using traditional IPS and antivirus software (such as the inability to detect traditional content during encrypted traffic)
– Fake MANO and VNF
– Attackers using cloud resources to launch various attacks
– Access control and authentication vulnerabilities as well as data spoofing and tampering vulnerability.
– Risks associated with data security
– Unauthorized access to sensitive data in virtual or physical machines
– Privileges granted to administrators
– Insufficient security when deleting or migrating data
– Risks associated with security management
– A complex strategy that might lead to gaps and conflicts
– The operations staff has access to user data and business data.
That’s a great start! It’s a logical list with plenty of potential for guidance, setting the stage nicely for a new part to ISO/IEC 27033.
Security and privacy guidelines for IoT domotics (home/building smart IoT systems) (NWIP)
An IT-enabled modern ‘smart home’ [and ‘smart office’ and ‘smart vehicle’ …] contains a mix of traditional PCs (such as desktop and laptop computers), mobile devices (such as tablets and smartphones), as well as Internet of Things (for example, smart entertainment systems and intelligent controls). APIs and protocols, as well as information security and privacy for devices themselves and their communication, will have implications on these devices as they generate and share information more frequently. In the context of householders as users of all this IT with little to no knowledge or interest in the privacy and information security aspects, standards can be used to represent the minimal or typical privacy and security requirements of consumers.
It is proposed to develop:
– Security and privacy model for information security and privacy in domotics based on ISO/IEC 30141;
– The potential risks to information [security and privacy] in this context;
– Assesses [the types of] privacy and information security controls that should be implemented by default to protect users’ and consumers’ interests.
Provenance model for information security attribution and accountability (SP)
Ascertaining the provenance of something is primarily about being able to trace its origins and ensure its safe custody like information. It’s an assurance measure and integrity control. Having this information can be very useful in cases of forensics (preserving the chain of custody) as well as counterfeiting (identifying genuine art from fakes), as well as accountability (for instance, proving that someone committed an infraction that warranted punishment).
As part of this SP, the authors explored evidence of provenance in the context of information security (e.g. identifying the perpetrators of ransomware attacks), resulting in an NWIP.
Designing consumer goods and services with privacy in mind (NWIP)
Toward this end, a standard will be developed that “allows consumers to make informed decisions about the purchase of goods and services with greater assurance that privacy protection is built into products at every stage of the lifecycle”.
A detailed NWIP brief increases the likelihood of developing a useful, valuable, worthwhile standard.
Cybersecurity – An overview and concepts (SP)
As part of a Study Period, the following goals were set:
– Consultation on draft Design Specifications developed during SC 27’s Berlin meeting;
– Prepare a New Work Item Proposal and basic standard specification.
The goal of this SP is to clarify the meaning of the term “cybersecurity.” I am not sure how it will be interpreted.
Cybersecurity – societal concerns and responsibilities (SP)
The study period, which received virtually no contributions and vanished in the breeze, failed to define exactly what was meant by “cybersecurity.” Despite the lack of engagement, the SP concluded that instead of an International Standard, SC 27 should produce a Technical Report, which was probably created out of thin air given the lack of interest.
Utility of the Statement of Applicability SoA (SP)
Since ISO/IEC 27001 Annex A remains a bone of contention between SC 27 and ISO/IEC 27001, a Study Period has these objectives:
– Annexe A and the Statement of Agreement consolidated;
– Invited expert opinions, including alternative views, to contribute.
Ultimately, the goal was to resolve the issue once and for all. Let’s hope so. Crossing fingers.
It has been agreed to keep Annex A between ‘27001 and ‘27002 as a useful connection. Nevertheless, 27001 may be changed to clarify that Annex A controls do NOT have to be followed, so the SOA does not have to follow Annex A.
Architecture reference for a cybersecurity framework (NWIP)
The proposal calls for developing a common ‘reference architecture’ to be used when developing and implementing ‘cybersecurity frameworks or programs’. It is intended to align cybersecurity approaches and terminology to make it easier to communicate among organizations about this topic.
A good place to start would be clarifying what “cybersecurity” is…
Investigating the need for guidelines for Security Operations Center (SP)
Considering how little is known about the design and management of SOCs (except for those organizations with their own), this may be an interesting standard.
It followed up on a previous SP on “Incident response in ICT security operations.”.
Commentary: I hope this will complement ISO/IEC 27035.
Big Data Security – Capability Maturity Model (NWIP)
New Work Item Proposals propose a standard covering “big data” in the CMM style.
As outlined in the proposal, organizations would be assessed according to their level of big data security capability by using BDS-CMM to assess the following four aspects: responsibilities, processes, technology/tools, and staff skills.
The details would be:
– Present in a structured and standardized manner a framework of best practices for process management and capability enhancement;
– Outline best practices for dealing with data security issues across the data lifecycle;
– Adaptable to the objectives of any organization;
– Outline an organized approach to securing data.
Commentary: There are two issues I have with this proposal. First of all, despite its name, big data is not referred to as merely an extension of current data/IT trends leading to larger volumes of data, as implied in the proposal. It refers to finding useful patterns in massive data sets beyond what conventional data processing can provide, such as those that are vast and dynamic. Second, although the CMM is a useful tool for measuring and assessing maturity, I am not convinced the SC 27 is well placed to specify best practices in the realm of big data security – or of small data security for that matter. It’s good to follow best practices, but doesn’t ISO27k already do that?
Taking into consideration the challenges and risks, a revised NWIP proposed establishing security guidelines for big data platforms (infrastructure, data storage, interfaces, and data processing).
Despite the lack of a bad start, it will be interesting to see where SC 27 will add to the existing ISO 27k standards regarding big data security.
Studies on cloud-based security
Three areas of interest have been identified by SC 27 WG4 as possible areas for cloud computing security standards, and at least three more studies have been initiated:
1. Cloud security assessment and audit – computing the effectiveness of cloud security arrangements through evaluation, review, and audit.
2. Cloud-adapted risk management framework – assembling/adapting/applying ISO27K and other approaches to risk management related to cloud computing [Recommend adding an annexe to ISO/IEC 27005 to cover cloud-related risks]. In the second call for contributions, participants primarily identified the need to compare the risks associated with cloud versus traditional in-house IT operations. It might be a problem for existing ISO27k standards if organizations are defined to cover multiple legal entities collaborating to deliver cloud services together. It may be recommended that a Technical Report rather than an International Standard be produced.
3. Cloud security components – separating the components that make up cloud security.,
The ITU-T has also proposed “Guidelines for Cloud Service Customer Data Security”, a document addressing situations when cloud service providers must protect customers’ data (which is not always the case: customers may be responsible).
There have been other NWIPs proposed, as well as an initial proposal for “The architecture of trusted connection to cloud services.” The document has been later renamed “Security requirements in trusted connections to internet-based services.”.
And another one: “The architecture for a virtual root of trust on cloud platform”.
In a short Study Period on “Emerging virtualization security,” took inputs from the Cloud Security Alliance about the security issues relating to virtualized networks, which are specific to virtual networks and not virtual systems and storage. In other words, reality.
Testers and evaluators’ competencies in information security
“The scope of the proposed standard is to provide the minimum requirements for the competence of individuals performing testing and evaluation activities using ISO/IEC standards for evaluating or testing the security functionality of IT products.” [extracted from the New Work Item proposal].
Lack of standards in this area results in inconsistent conformance testing by testers and labs, according to the NWIP.
Commentary: The project looked like it would get underway, but it is no longer on my radar. Perhaps the project on ISO/IEC 27021 became merged into it?
Risk Handling Library (SP)
During this Study Period, a new Standing Document (guidance for use within SC 27) was proposed. Part of the problem was the lacklustre support for the SP, mainly because the purpose of the unclear 5″Risk Handling Library” was poorly explained and even ill-conceived. Who is it intended for? Is it going to provide any benefits?
In addition to currently accepted ISO27k standards, the SD may catalogue future/planned ISO27k standards. In April 2017, a draft was produced that simply referenced ISO27k and other standards that mention risk. A bibliography is all that it was – it didn’t cite the specific places where risk was discussed or cite any relevant passages.
Commentary: This overlaps both with the SD6 “Glossary of IT Security Terminology” and the Terminology Working Group.
The SC 27 has a habit of embarking on journeys to unknown destinations via unclear routes, then promptly getting stuck in tar pits and quagmires. My personal opinion is that the recurrent nightmares are caused by bad governance, but it could also be seen as a way to free-think or stimulate creativity. It would be fun, if there weren’t so many tedious, urgent things to do (27002 and 27005 revisions, Internet of Things and cloud security improvements, and so on), ideally with more creativity extending to the way the committee operates. It doesn’t help to add yet another thing to the pile. The only way to get out of a hole is to stop digging!
In the first instance, committee members sent a negative response to the invitation, and there was only one positive response in the second instance.
There are also these recommendations: “ISO/IEC JTC 1/SC 27/SWG-T recommends to take the appropriate steps to make the new SC 27 Standing Document 19 Risk management resource library publicly available within SC 27.” Does the “Risk Management Resource Library” differ from the “Risk Handling Library” or is it something else?
An upcoming task force has been proposed for clarifying and coordinating terminology within each of SC 27’s standards and, as soon as the standards come into effect, globally. The scope and purpose of the project have yet to be determined: that is, at least, what I believe it should do. Maybe there is a need for a TTF definition and scope project under SC 27?
Information Security Library (SP)
Projects are being conducted to examine the needs for an Information Security Library that would explain how all the standards within the scope of SC 27 fit together, and how organizations can make use of them. [this sounds much like the overview function of the ISO/IEC 27000 standards, though perhaps it would extend beyond these to define privacy, identity management, etc.]. Throughout SC 27, the ISL would lead the continued development of the standards, with an emphasis on accelerating the development of more dynamic IT security elements as compared to the slower-evolving business and information security elements.
According to Draft Standing Document 16, ISL should constitute a roadmap (in effect) for SC 27’s activities. It is expected that many, if not all, of SC 27’s projects will focus on maintaining/updating and extending Annex A.
Cybersecurity maturity model
An initiative to define Cyber Security as the “preservation of confidentiality, integrity and availability of information in the Cyberspace” was undertaken.
Commentary: The ‘cyberspace’ is not clearly defined and quite obscure, so it is unclear what the maturity model would look like. As for reasons to use such a maturity model, I have no clear idea.
The following study periods are over: Former SPs no longer exist
– Cyber resilience standards and guidelines
A study is in progress on the subject of ‘cyber resilience’ or ‘cyber resilience’ or ‘cyber resilience’ (various forms of the phrase are used). This term is unclear, so part of the study’s task will (hopefully) be to define it, alongside ‘adverse cyber events’…
The call for contributions states: “Cyber resilience refers to the ability (of an organization, business process or system) to continuously deliver the intended outcome despite adverse cyber events. Organizational resilience refers to the adaptive capacity of an organization in a complex and changing environment (ISO 22300). These definitions will be revisited and are likely to be revised as part of the study period.”
During the study period, an interim report reported that a new standard for a cyber resilience management system might be developed, maybe a variant of 27001 or 27002, or perhaps an ISO27k standard integrating ISO22301.
According to an outline/skeleton of the standard, it might encompass the whole area of information security management, not just safeguarding critical business operations amidst and despite IT system and network incidents, which raises questions about the project’s scope and purpose.
The SP reported the intention to develop a sector-specific version of ISO/IEC 27001 specifically for resilience using ISO/IEC 27009, a curious interpretation of “sector-specific”. In the event it had been approved, it would have produced a technical specification instead of an international standard, guiding how ISO/IEC 27001, ISO/IEC 27002, and other relevant standards contribute to building organisational capability for cyber resilience.
The call for comments was extended for a while, but the standard failed to garner any enthusiasm, resulting in zero (0, zero, null, nil, nothing, nowt) contributions. In light of its governance arrangements, it is unclear how this SP came into being in the first place.
Rather than simply destroy the moribund project, other cybersecurity study periods of WG1 have been merged with it.
Commentary: It is impossible to know the fate of this duck, but it is advancing towards the weir. References to ‘adverse cyber events’ failed to clarify the meaning of ‘cyber’. Unhelpfully, the call for contributions mentioned “the digital (cyber) domain” as well, further confusing matters. In addition, when it comes to information risk and security, resilience refers primarily to business continuity (continuation of critical business activities), not adaptability, which was the extent of the original definition. It wasn’t well thought out.
Could the second edition of ISO/IEC 27031 nail it?
– Cybersecurity SP
During the study period, the following conclusions were reached:
1. Discuss and refine the definition of cybersecurity within the scope of information security.
2. Use the word “cybersecurity” rather than “cyber security” or “cyber-security”.
3. Create a communications/outreach program explaining the importance of cybersecurity, and how it is largely met by ISO27k.
4. Establish a global cybersecurity framework standard.
5. Ensure “cyber resilience” is addressed somehow such as through ISO 22301
Commentary: Cyber in practice would refer to computing/IT, the Internet, major attacks by nation-states or terrorist groups on critical national infrastructures, artificial intelligence, electronics, robots, and likely many other things. These are not just minor differences in interpretation. They have distinctly different implications when it comes to information security and risk.