ISO/IEC 27001 and 27031 revisions

Today I've spent (?invested?) some time and brainwaves into the ISO27k standards.

First, ISO/IEC 27002 is currently being revised. The revision involves completely restructuring the controls described in the current standard into 4 "themes": 
  1. Organizational; 
  2. People; 
  3. Physical; and 
  4. Technical. 
Clearly those are not truly orthogonal or distinct categories - for example organizational controls are quite likely to involve people (e.g. policies and procedures), physical (e.g. physical access) and/or technical (e.g. IT) aspects. Some security controls may fit into any of those categories, so the choice is arbitrary. However, the categorization doesn't matter much. It is really just a convenient order for the standard, especially as the controls are going to be further 'tagged' with other attributes such as:
  • "Information security properties" i.e. confidentiality, integrity or availability (the classic CIA triad - not Donn Parker's hexad, I note);
  • "Control type" i.e. preventive, detective or reactive (reflecting the time relative to the occurrence of events or incidents that the control acts);
  • "NIST cyber security framework classifications" i.e. identify; protect; detect; respond; recover (notice that is an extension of the "Control types" tagset);
  • "Information security management life cycle" i.e. creation; distribution; transmission; access; retrieval; storage; use; preservation; control of change; disposal (despite the title, these tags appear to relate to the lifecycle of data not of 'information security management' which would, in fact, be some sort of process maturity sequence);
  • Other tagsets, yet to be determined.
Anyway, leaving all that aside, we have our chance right now to consider and contribute to the revision of the infosec controls that are currently in 27002, perhaps culling those that are no longer worthy of inclusion and adding others that are, as well as rewording the existing set. What fun! I've spent a few hours today thinking and commenting.

I've also glanced through the 4th working draft revision of ISO/IEC 27031 on "Information technology – Cybersecurity – Information and communication technology readiness for business continuity". 

Golly, another ISO27k standard that fails to define that word "cybersecurity". It's in the title, so we are supposed to just know, I guess. Or guess, I know.

Given that ISO 22301 does such a good job on business continuity, I honestly don't see much point to this ICT-focused standard. If it is to remain a part of ISO27k, it at least ought to be properly aligned with ISO 22301, and ideally extended beyond the ICT domain since ISO27k is about information risk and security, not just ICT.

Although this standard vaguely mentions resilience to as well as recovery from disastrous situations, the coverage on resilience is distinctly light, perhaps because of the definition: 
“Resilience: ability to transform, renew, and recover, in timely response to events”.
That’s plain weird! Resilience is an ordinary common-or-garden English word, meaning that any half-decent dictionary is likely to have a perfectly serviceable definition, including the Oxford English dictionary that is supposed to be the default reference for all standard terms in ISO27k. I don't have the OED to hand but I would be gobsmacked if it didn't talk about another meaning relating to elasticity - the ability for things under stress to bend without breaking. If SC27 insists on defining the word, I suggest that resilience in the information risk and security context generally concerns the latter meaning. It’s about toughness and determination, keeping the essential core business activities (plus the supporting/enabling information processes, applications, systems, networks, data flows, services etc.) going despite and through adversity. Resilience controls include widely-applicable and sound engineering concepts such as redundancy, robustness and flexibility, ensuring that vital business operations are not materially degraded or halted by incidents - they keep right on running, albeit often at somewhat reduced performance or capacity. In this day and age, high-availability 24x7 systems and networks are hardly radical but SC27 just doesn’t seem to get it. Is it really that hard?

So, there we go, the day is history and another working week draws to a close.