What is ISO 27010?
ISO/IEC 27010:2015 presents strategies on methods, models, processes, policies, controls, protocols and other frameworks for information sharing with trusted counterparties while upholding basic concepts of information security.
The International Electrotechnical Commission (IEC) and the International Organisation for Standardisation (ISO) collectively issued ISO 27010. In addition to instruction provided in the ISO/IEC 27000 family, the standard guides the incorporation of information security management across information sharing groups.
ISO 27010 aims at securing shared knowledge of sensitive infrastructures. It proposes standard rules to prevent security issues when transferring confidential information as well as:
- Exchanging information between organisations
- The risks of sharing knowledge
- Introducing controls to mitigate such risks
- Potential incidents which could occur
ISO 27010 offers guidelines on information security interworking and cooperation between organisations in the same sectors, in separate sectors of industry and with governments.
The standard also sets out guidance for sharing information in times of crisis and protecting vital infrastructure as well as for mutual understanding in normal business circumstances to satisfy legal, regulatory and contractual obligations.
The history of ISO/IEC 27010:2015
First released in 2012, ISO 27010 received minor editorial changes in 2015. This revision was made to comply better with the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002. December 2015 saw the release of the second edition of ISO 27010.
Why is ISO 27010 important?
Information sharing, like threat intelligence, comes with its own unique drawbacks and poses several issues. For example, organisations may end up having raw, unevaluated information that adds an extra burden to organisations’ security team by raising the number of incidents and warnings rather than minimising them. Also, some security vendors despise sharing data to avoid damaging their competitive advantage.
ISO/IEC 27000-series of standards discuss some of these problems. All organisations are encouraged to evaluate their risks, then handle them according to their needs, using advice and support where appropriate and using information security controls. ISO/IEC 27010 provides controls and instructions on adopting, implementing, maintaining information security in inter-organisational and inter-sector communications. It also offers guidance and general principles on how to meet defined requirements using existing messaging and other technical methods.
The standard refers to all forms of exchanging and sharing of sensitive information, public and private, nationally and globally, not only just within or between the industry or business sectors. In particular, it can refer to information exchanges and sharing related to providing, sustaining and protecting essential infrastructures of an entity or nation state. Built to promote trust-building while exchanging and sharing confidential information, ISO 27010 facilitates the international growth of information-sharing cultures.
Relationship with other standards
The standard series ISO/IEC 27000 offers best-practice guidelines on information security management. ISO/IEC 27010:2015 is a sector-specific complement to ISO/IEC 27001:2013 and ISO/IEC 27002:2013 for information sharing communities. In addition to and complementing the generic guidance provided within other members of the ISO/IEC 27000 family of standards, the guidelines found in this international standard. If applicable, ISO 27006 certification bodies can refer to ISO 27010 when issuing the certification.
One aspect in which ISO 27010 defines general approaches to data security elements in the process of drafting and enforcing policies and procedures. Along with training and awareness initiatives for those participating in the process, and likely independent evaluations or audits to confirm compliance with ISO/IEC 27010 and other relevant ISO27k standards.
ISO 27010, ISO 27001 and ISO 27002
ISO/IEC 27010:2015 complements ISO/IEC 27001:2013 and ISO/IEC 27002:2013 well. ISO 27010 offers advice on understanding ISO 27001’s criteria when exchanging information between organisations. It also provides additional security measures and knowledge sharing instructions beyond those found in ISO 27002.
ISO/IEC 27001:2013 and ISO/IEC 27002:2013 address information exchange between organisations, but only broadly. Suppose organisations wish to transmit confidential information to several other organisations. In that case, the other organisations must assure the original owner that their use of information would be subject to appropriate security controls by the receiving groups.
Organisations can achieve this confidentiality by creating an information sharing community in which each participant trusts the others to safeguard the shared information, even when organisations may otherwise be competitors.
ISO 27010 introduces a new control in its clause seven that tackles a range of issues that ISO 27002 does not address explicitly, almost contrary to standard non-repudiation conditions. This control includes protecting source anonymity in exchanging information. Although ISO 27002 is suitable for standard “vendor” scenarios, 27010 provides some new resources to handle more complicated situations.
Who can implement ISO 27010?
This International Standard is relevant to all businesses and organisations that exchange confidential information, publicly and privately, in all industries. In particular, this can apply to information exchanges and sharing related to providing, sustaining and protecting the essential infrastructure of an entity or nation-state. This is due to the standards promotion of building trust while exchanging and sharing private information.
It will be necessary for any company providing or utilising information sharing tools protected by an information security management system (ISMS). It may also be beneficial for large organisations with geographically dispersed functions exchanging information across departments or locations.
Getting started with information sharing
Without trust, an information sharing community can not function. Those supplying information must trust recipients not to reveal or mishandle the data. Those receiving data must trust that the accuracy of the data, subject to any requirements notified by the originator. Both aspects are critical. ISO 27010 requires information sharing communities to demonstrate successful security policies and good practice must be supported. To do this, all group members must adopt a collaborative management system covering the shared information’s security. This system should preferably be an ISMS.
Information sharing may take place between groups where the sharer isn’t aware of all recipients. Sharing information in this way will only work if the communities have sufficient confidence and information-sharing agreements. It is particularly relevant for sharing sensitive information among diverse communities, such as different industries or market sectors.
One scenario in which information is shared is in the event of a data breach. Sharing potential information vulnerabilities and security concerns exemplify the wide variety of problems and benefits that surround sharing information. These information exchanges usually occur under extreme time pressure in a chaotic atmosphere-not the most favourable environment to develop trusting working relationships and agree on adequate security controls. The risk of sharing information regarding security incidents between different entities will depend on the details of the particular situation at hand. However, when done securely, sharing this information can prevent other organisations from encountering the same issues.
ISO/IEC 27010:2015 requirements
ISO 27010 consists of 18 clauses and 4 annexes.
ISO/IEC 27010:2015 clauses
Clause 1: Scope
Clause 2: Normative references
Clause 3: Terms and definitions
Clause 4: Concepts and justification
- 4.1 Introduction
- 4.2 Information sharing communities
- 4.3 Community management
- 4.4 Supporting entities
- 4.5 Inter-sector communication
- 4.6 Conformity
- 4.7 Communications model
Clause 5: Information security policies
- 5.1 Management direction for information security
Clause 6: Organization of information security
Clause 7: Human resource security
- 7.1 Prior to employment
- 7.2 During employment
- 7.3 Termination and change of employment
Clause 8: Asset management
- 8.1 Responsibility for assets
- 8.2 Information classification
- 8.3 Media handling
- 8.4 Information exchanges protection
Clause 9: Access control
Clause 10: Cryptography
- 10.1 Cryptographic control
Clause 11: Physical and environmental security
Clause 12: Operations security
- 12.1 Operational procedures and responsibilities
- 12.2 Protection from malware
- 12.3 Backup
- 12.4 Logging and monitoring
- 12.5 Control of operational software
- 12.6 Technical vulnerability management
- 12.7 Information systems audit considerations
Clause 13: Communications security
- 13.1 Network security management
- 13.2 Information transfer
Clause 14: System acquisition, development and maintenance
Clause 15: Supplier relationships
- 15.1 Information security in supplier relationships
- 15.2 Supplier service delivery management
Clause 16: Information security incident management
- 16.1 Management of information security incidents and improvements
Clause 17: Information security aspects of business continuity management
- 17.1 Information security continuity
- 17.2 Redundancies
Clause 18: Compliance
- 18.1 Compliance with legal and contractual requirements
- 18.2 Information security reviews
ISO/IEC 27010:2015 annex clauses
Annex A: Sharing sensitive information
- A.1 Introduction
- A.2 Challenges
- A.3 Potential benefits
- A.4 Applicability
- A.5 Defining and operating an information sharing community
- A.6 Information exchange agreements
- A.7 Success factors
- A.8 Scope of the ISMS for an information sharing community
Annex B: Establishing trust in information exchanges
- B.1 Statement of trust
- B.2 Technological support
- B.3 Assessing trustworthiness of information
Annex C: The Traffic Light Protocol
Annex D: Models for organizing an information sharing community
- D.1 Introduction
- D.2 Trusted Information Communication Entities
- D.3 Warning, Advice and Reporting Points