Roadmap ISO/IEC 2700x

ISMS – Information Security

Management System
 Agenda
ANSIL
ISO/IEC security standardisation
JTC 1
SC 27
WG 1
A “long” way to the ISMS
BS 7799 history
SC27/WG1 roadmap
The “2700x family”
News from Moscow

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 2

 ANSIL
Goals (extracts):
study and analyse all types of normative
documents,
create expert groups (committees),
– ... economic interests of Luxembourg,
– work by consensus,
... interface between ... actors and official
institutions,
... raise awareness ... promote ... encourage
standardisation,
... in compliance with ISO/IEC,
CEN/CENELEC ....
...

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 3

 ANSIL
current committees:
CNLSI
– information security
– member of ISO/IEC JTC1/SC27
– ~ 15 active people
– focused on WG 1, 2 and 4

CNLQSI
– information systems quality (ITIL, ...)
– member of ISO/IEC JTC1/SC7
– ~ 7 active people
– focus on WG 7, 10, 24
and 25 (ISO/IEC 20000)

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 4

 ISO/IEC security standardisation
standardisation process:
SP (study period)
NWI (new working item)
WD (working draft)

~5 years
CD (committee draft)
FCD (final committee draft)
DIS (draft for international standard)
FDIS (final draft for international standard)
IS (international standard)

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 5

 ISO/IEC security standardisation

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 6

 ISO/IEC security standardisation
JTC 1 – Information technology standards
At a glance
Scope
– Standardisation in the field of information technology
Membership
– 31 P-countries
– 45 O-countries
– 38 liaisons (internal and external)
Structure
– 17 Sub Committees
Products
– 2076 international standards published

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 7

 ISO/IEC security standardisation
JTC 1 – Information technology standards
Mission statement (develop standards concerning:)
design and development of IT systems and tools
performance and quality of IT products and systems
=> security of IT systems and information <=
portability of application programs
interoperability of IT products and systems
unified tools and environments
harmonized IT vocabulary
user friendly and ergonomically designed user interfaces
Principles
strong business-like approach
including multicultural requirements
standards development environment which attracts technical
experts

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 8

 ISO/IEC security standardisation
SC27 – IT security techniques
At a glance
Chair: Dr. Walter Fumy (Germany)
published standards: 73
Members: 35 (P) , 13 (O)
Liaisons:
– ISO TC 68/SC 2, TC 68/SC 7, TC 215, ...
– ... ECBS, Ecma International, ITU, MasterCard, Visa –
Europe, ...
Meetings: ~ every 6 months

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 9

 ISO/IEC security standardisation
SC27 – IT security techniques

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 10

 A long way to the ISMS
The “7799” history

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 11

 A long way to the ISMS
The WG1 roadmap
Purpose:
positive identification of WG1 related standards,
logical reasoning and relationships of WG1 related standards,
integrated and coordinated framework to avoid duplication,
planning tool,
greater coordination with other committees.
Types:
Type A – Vocabulary Standards (e.g. 27000, SD6)
Type B – Requirements Standards (e.g. 27001, 27006)
Type C – Guidelines Standards (e.g. 27002 (17799), 27003, 27005)
Type D – Related Standards

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 12

 The “2700x” family

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 13

 The “2700x” family
ISO/IEC 27000 – ISMS - Overview and vocabulary
Status:
CD (Committee Draft)
Definitions (examples):
information security
preservation of confidentiality, integrity and availability of information; in
addition, other properties, such as authenticity, accountability, non-
repudiation, and reliability can also be involved
information security management system - ISMS
a part of the overall management system, based on a business risk
approach, to establish, implement, operate, monitor, review, maintain
and improve information security
risk
combination of the likelihood of an event and its consequence
risk management process
the systematic application of management policies, procedures and
practices to the tasks of communicating, establishing the context,
identifying, analysing, evaluating, treating, monitoring and reviewing
risk

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 14

 The “2700x” family
ISO/IEC 27001 ISMS – Requirements

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 15

 The “2700x” family
ISO/IEC 27005 – Information security risk management
Status:
FCD (Final Committee Draft)

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 16

 The “2700x” family
ISO/IEC 27002 – Code of practice for ISM

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 17

 The “2700x” family
ISO/IEC 27003 – ISMS implementation guidance
Status:
WD (Working Draft)
Objectives (provide):
a description of the organization's information security management
system, represented as a fundamental set of policies, procedures and
controls;
the basis for continued planning and improvement;
and
a harmonized framework where consideration has been taken of the
results from operational, situational and risk analysis

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 18

 The “2700x” family
ISO/IEC 27004 – ISM measurements
Status:
CD (Committee Draft)
Scope:
developing measurements
implementing and operating an information security measurement
program
collecting, analysing, and communicating measurements to
stakeholders
using collected measurements as contributing factors to ISMS-related
decisions
using collected measurements to effect improvement of the ISMS
facilitating improvement of the information security measurement
process

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 19

 The “2700x” family
ISO/IEC 27006 – Requirements for bodies providing
audit and certification of ISMS
Scope:
based on the requirements from ISO/IEC 17021:2006
– Conformity assessment -- Requirements for bodies providing audit and
certification of management systems
provides guidance for bodies providing audit and certification of an
ISMS

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 20

 The “2700x” family
(ISO/IEC 27007) – ISMS auditor guidelines
Status:
SP (Study Period)
Contributions from:
Sweden
Japan
China

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 21

 News from the front
34th SC27 WG1 Meeting in Moscow May 4th-8th
Resolutions
Documents for study an comments (WD):
– ISO/IEC 27003 (registered for CD)
– WG 1 SD 1
Documents for 2nd CD:
– ISO/IEC 27000 (registered for FCD)
– ISO/IEC 27004 (registered for FCD)
Documents for FCD:
– ISO/IEC 27011 [fast-track] (registered for FDIS)
» basis for sector-specific ISMS set of principles
Documents for 2nd FCD:
– ISO/IEC 27005 (registered for FDIS)

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 22

 News from the front
34th SC27 WG1 Meeting in Moscow May 4th-8th
Resolutions
ISO/IEC 27007 SP -> NWI (NP ballot)
Study Periods:
– Technical ISM Audits
– Sector-specific ISMS for WLA
– Sector-specific ISMS for Automotive Ind.

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 23

 Questions ?

Thank you for the attention

Pascal Steichen
ANSIL
www.ansil.eu
contact@ansil.eu

S5 – Roadmap ISO/IEC 2700x - Pascal Steichen (ANSIL) 24