ISO/IEC 27000 - UPDATED

I spent the morning reviewing the Draft International Standard version of ISO/IEC 27000:2016, in particular checking carefully through the definitions section for changes since the current 2014 version in order to update our information security glossary. 

I noticed that "executive management" is now defined in addition to "top management". The difference between these terms is quite subtle: whereas it appears the former always refers to the most senior managers within the entire organization, the latter may refer to senior managers within a business unit, department etc. if the scope of an ISMS is limited to that particular business unit, department etc. In practice, this distinction is unhelpful except under particular circumstances which might have been covered by a note to the definition of "executive management". To this native English speaker, "top management" is an obscure term - in fact I don't recall ever hearing or using it outside the ISO27k context. "Senior management" or "executive management", certainly, but not "top management", with, by natural extension, the rather unsavoury implication that there might also be "bottom management". I guess this is simply the outcome of someone literally translating the equivalent term in another language, and I look forward to the day when "top management" is finally expunged from the ISO27k lexicon.

Being a perfectionist by nature, I could and indeed sometimes do quarrel with many of the definitions in ISO/IEC 27000. Most of the terms are perfectly well defined in the dictionary - in fact, dictionaries generally make a much better job of it. While the committee might claim that they are defining specialist terms of art, good dictionaries include such specialist, obscure or archaic definitions but these normally follow the current usage, which is expressed in plain English written by professional linguists. The sequential approach is especially helpful for those who struggle with English, since the initial plain-language definitions make it easier to comprehend the specialist definitions that follow, in most cases anyway.

Take "risk" for example. ISO/IEC 27000 defines risk very succinctly and broadly, though not very helpfully, as "effect of uncertainty on objectives", and then goes on to muddle things with 6 'notes to entry' (i.e. notes!) which include further, often equally vague or obscure definitions (e.g. "An effect is a deviation from the expected - positive or negative"). Only the last two notes refer specifically to information security risk, the remainder being generic. Compare that to, say, the Oxford Dictionaries definitions of "risk". Do you see what I mean?

Similarly, "organization" is defined in the standard as [a] "person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (2.56)" with a 'note to entry' that gives some examples of what we generally understand to be organizations, albeit using pseudo-legalese ("... includes but is not limited to ..."). The definition mentions that an organization might be a person, whereas in common use a person is, well, a person. Furthermore, elsewhere the same standard specifies "person or organization", making the distinction redundant. A lay person would not define an organization as "... a group of people that has its own functions ...": the definition is curious, to say the least. Although strictly speaking "objectives" are not defined, the singular form is defined in section 2.56 as "result to be achieved" followed another 4 'notes to entry'. All-in-all, the standard makes a meal of defining a relatively simple, straightforward concept, and this is definitely not the only such instance. Several definitions are incomplete, misleading or inaccurate, some are gibberish, a few are self-referential (e.g. the definition of "external context" starts with "external environment" without any attempt to define "external") and one uses the term "conformance" which is deprecated in the very same document.

Worst of all, several terms or concepts that are absolutely crucial to information security (such as "accountability", "information" and "information risk") remain totally undefined.

As if that's not enough, the formatting (fonts and spacing) is inconsistent ... and I'm still only half way through the document's 40-odd pages. Life's too short!

Now perhaps you appreciate why I chose to illustrate this post with that nice black-and-white photo of a right pig's ear ...


UPDATE (July 2016): the 4th edition of ISO/IEC 27000 is now available for FREE