|
In addition to the ISO27k standards that have already been allocated numbers, SC27 is considering further ISO27k standards through a number of Study Periods leading normally to New Work Item Proposals, at which point (if agreed) they are generally allocated ISO27k numbers and get their own separate pages on this site.
Personal Information Management System (Study Period)
It is proposed to develop a standard specifying a Personal Identification Management System (PIMS) based on ISO/IEC 27001 and possibly ’29100. The idea to define common ground for the management of personal information, providing confidence in its management and facilitating compliance assessment against general privacy principles, data protection laws and good practices.
Issues to be addressed during the study period include assessing the viability of the project, and deciding whether to address “privacy”, “Personally Identifiable Information” and/or “personal information”.
Taxonomy (Study Period)
As a result of a previous proposal to restructure ISO/IEC 27002 completely, a study period is under way to consider the merits of defining a taxonomy of information security, being a framework defining the main information security domains and their relationships. This may yet evolve into an internal guideline for SC27, providing greater consistency and coherence to all the ISO27k projects.
Storage Security (Study Period)
A study period is assessing the need for a standard that will presumably cover the protect of information storage media against various information security risks. Whether this will include just digital storage media or all forms of media (e.g. including paperwork, analogue CCTV and audio tapes) remains to be seen.
ICT Supply Chain Security (Study Period)
A study period is considering the value of a standard covering information security aspects of supply chain relations - for example the secure handling of valuable information about orders and prices between business partners.
ISO/IEC 27011-27019?: further sector-specific ISMS implementation guidelines
A suite of ‘sector-specific’ ISMS implementation guidelines was planned to help certain industries implement the ISO27k standards. These would offer advice on the application of typical information security controls already noted in ISO/IEC 27002 within each industry, but may include new information security controls that are specific to certain industries.
ISO/IEC 27011, the first of the series, provides ISMS implementation guidance for the telecomms industry.
ISO/IEC 27012 was proposed for eGovernment services but canned due to a lack of interest.
ISO/IEC 27015 will provide ISMS implementation guidelines for the financial services sector. The project is struggling along.
Other industry sectors may also be covered by similar ISMS implementation guidelines, such as:
-
“The energy sector” and/or “utilities” - electricity generation and distribution, oil and gas refining and distribution etc.;
-
“The healthcare sector” potentially including primary/local healthcare, hospitals, health boards, pharmaceuticals and more. As with the finance sector, it remains to be determined what will happen to ISO 27799 and other healthcare information security standards developed independently of SC27;
-
“The defense sector” (armed forces and defense contractors/suppliers, perhaps including aerospace?) for whom security and information security are clearly vital, although national interests may preclude or at least complicate international cooperation on common ISMS guidelines;
-
“The transportation sector” potentially including train and bus companies, airlines etc. although a proposed project to develop ISMS implementation guidelines for the automotive sector, specifically, was abandoned;
-
“The food sector” potentially ranging from primary production (farms) through wholesale distribution to retail outlets (shops);
-
“The media sector” (news, publishing etc.) for whom information is of course a vital raw material and the primary product;
-
Other sectors: countries/nations define their most important and valuable industries differently. Holiday spots might define “the tourism sector” as vital, for instance, while something like “bauxite mining” might be crucial to just a few. ISMS implementation standards could potentially be developed to cover any sector although there are practical constraints such as the limited number of people working in SC27 (most of whom are volunteers with day-jobs to maintain) and the level of contributions required from each sector.
It is interesting to note that ISO/IEC 27001 and 27002 are well written, broadly applicable and popular standards, in fact it is difficult to think of ways in which more detailed or specific guidance might be needed in certain industries beyond that provided in the generic standards.
|
