Jul,03

ISO IEC TS 27110 pdf – Information technology, cybersecurity and privacy protection — Cybersecurity framework development guidelines

ISO IEC TS 27110 pdf – Information technology, cybersecurity and privacy protection — Cybersecurity framework development guidelines

ISO IEC TS 27110 pdf – Information technology, cybersecurity and privacy protection — Cybersecurity framework development guidelines
The value of applying the guidelines in this document is that users of different cybersecurity frameworks can communicate with each other. These concepts are intended to give a cybersecurity framework creator a starting point, and when used collectively, provide an effective structure in organizing a cybersecurity framework.
5 Concepts
5.1 General The purpose of subclauses 5.2 to 5.6 is to describe the concepts in a cybersecurity framework. These concepts are intended to give a cybersecurity framework creator a starting point. While every cybersecurity framework has different stakeholders and requirements, the concepts below remain constant and, thus, serve as the basis for any cybersecurity framework. The concepts listed below are not intended to provide sufficient detail for implementation of cybersecurity within an organization. These concepts can be arranged in a process model. However, other configurations can work given the cybersecurity framework creator ’s stakeholder requirements. Cybersecurity framework creators can choose to augment the cybersecurity framework with additional concepts which provide value to their stakeholders or satisfy specific requirements. Furthermore, some cybersecurity framework creators can choose to enhance these concepts with categories and subcategories to provide more guidance to their stakeholders or satisfy requirements. Some contexts can warrant a greater level of detail than categories. If that is the case, cybersecurity framework creators may specify additional, more detailed statements that would align at the subcategory level. The concepts presented below are independent of time, context, granularity of scope, and market conditions. While sequence of events, unique operating constraints, and business drivers are all important factors when designing a cybersecurity framework, they are considered implementation details.
5.2 Identify A cybersecurity framework should include the Identify concept. The Identify concept develops the ecosystem of cybersecurity which is being considered. This ecosystem is used when developing the Protect, Detect, Respond and Recover concepts. Examples of ecosystem considerations are: business objectives, business environment, stakeholders, assets, business processes, laws, regulations, threat environment and cyber risks. The Identify concept addresses people, policies, processes and technology when defining the scope of activities. The Identify concept can include many categories relating to scoping particular activities to only those which are relevant. Categories can include: business environment, risk assessment, risk management strategy, governance, asset management, business context analysis and supply chain considerations. The activities in scope of the Identify concept are foundational for cybersecurity. The Identify concept can include an understanding of business context, stakeholders, the cybersecurity ecosystem and dependencies. An organization’s presence in cyberspace, its cyber persona , the business-critical functions and information and their related resources can also be important. The understanding gained from the Identify concept enables a flexible and repeatable view of cybersecurity for an organization to focus and prioritize its efforts. A cybersecurity framework creator should consider evolving cyber threats and emerging technology when designing the Identify concept. Otherwise, the resulting cybersecurity framework can fail to appropriately meet future requirements.
5.3 Protect A cybersecurity framework should include the Protect concept.
The Protect concept develops appropriate safeguards to protect an organization’s cyber persona, ensure preventative controls are working, and produce the desired readiness of the organization to deliver critical services and maintain its operations and security of its information. The Protect concept can contain many categories and activities related to the safeguarding of assets against intentional or unintentional misuse. The Protect concept can include controls for traditional IT system security, industrial control systems or internet of things. Categories can include: access control, awareness and training, data security, information protection processes and procedures, maintenance, protective technology, security architecture, asset configuration, systems segregation, traffic filtering, cryptography, security administration and maintenance, identity and access management and data security. A cybersecurity framework creator should determine the scope of the Protect concept. Prevention and threat-oriented approaches can be used. When developing the Protect concept, a cybersecurity framework creator should consider protection for people, process and technology.
5.4 Detect A cybersecurity framework should include the Detect concept. The Detect concept develops the appropriate activities to discover cybersecurity events. The activities in the Detect concept provide an organization the ability to proactively observe changes in behaviours, states, traffic, configuration or processing of its key resources. These changes can be internal or external, intentional or unintentional. By understanding the changing landscape, the organization can make updates to policies, procedures and technology as needed.

Download
The previous

ISO IEC TS 27022 pdf - Information technology — Guidance on information security management system processes

The next

ISO IEC TS 27570 pdf - Privacy protection — Privacy guidelines for smart cities

Related Standards