ISO/IEC JTC1/SC27 report 2

Hello again from the ISO/IEC JTC 1/SC 27 meeting in Singapore.

Today I have been involved in a session considering the ~800 comments received on the last working draft of the revised ISO/IEC 27002 (got that?!). The enormous number of comments reflects the breadth of interest in this standard, and the need to update it in various respects to catch up with differences in information security controls since the 2005 version.  That version was written about 7  to 8 years ago, so you can probably guess at some of the significant changes that we are considering. Aside from obvious examples such as cloud computing, we are also dealing with more general changes such as the continued move from IT security to information security, which means incorporating and/or explaining controls in a broader context than purely IT or communications technology, going beyond the traditional remit of the IT department. 

Today so far we have been discussing changes to section 10 "Communications and operations management". It seems from the discussion that some people have hitherto been interpreting and using this section as an ICT-specific suite of controls, primarily technical IT security controls plus some manual/procedural controls that happen to apply to IT people. However, I read the existing text more broadly than that, but admittedly it is a bit of a stretch to cover broader security aspects of changes to processes involving information that fall outside of IT.  Some national bodies agree that we might broaden the section 10 text subtly to incorporate  aspects beyond as well as within IT, but this was not accepted by all.  There is a valid concern that we might be opening up the scope too far, and a counterpoint that restricting section 10 to IT  is too narrow. There was no resolution to this today but comments were accepted from both perspectives - in other words the ambiguity of the scope of this section continues.

Discussion around change management went in a complete circle: at one point we agreed to combine and rationalised two existing change management sections, but following discussion about the two sections applying to different business functions, the decision was reversed. We missed the chance to reduce the duplication.

Overall, the discussions today on 27002 have been positive, helpful and respectful of all opinions. We are making good progress.