BS ISO IEC 27010 pdf download

BS ISO IEC 27010 pdf download.Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications
1 Scope
This International Standard provides guidelines in addition to the guidance given in the ISO/IEC 27000 family of standards for implementing information security management within information sharing communities. This International Standard provides controls and guidance specifically relating to initiating, implementing, maintaining, and improving information security in inter-organizational and inter- sector communications. It provides guidelines and general principles on how the specified requirements can be met using established messaging and other technical methods. This International Standard is applicable to all forms of exchange and sharing of sensitive information, both public and private, nationally and internationally, within the same industry or market sector or between sectors. In particular, it may be applicable to information exchanges and sharing relating to the provision, maintenance and protection of an organization’s or nation state’s critical infrastructure. It is designed to support the creation of trust when exchanging and sharing sensitive information, thereby encouraging the international growth of information sharing communities.
4 Concepts and justification
4.1 Introduction ISMS guidance specific to inter-sector and inter-organizational communications has been identified in Clauses 5 to 18 of this International Standard. ISO/IEC 27002:2013 defines controls that cover the exchange of information between organizations on a bilateral basis, and also controls for the general distribution of publicly available information. However, in some circumstances there exists a need to share information within a community of organizations where the information is sensitive in some way and cannot be made publicly available other than to members of the community. Often the information can only be made available to certain individuals within each member organization, or may have other security requirements such as anonymization of information. This International Standard defines additional potential controls and provides additional guidance and interpretation of ISO/IEC 27001:2013 and ISO/IEC 27002:2013 in order to meet these requirements. There are four informative annexes. Annex A describes the potential benefits from sharing sensitive information between organizations. Annex B provides guidance on how members of an information sharing community can assess the degree of trust that can be placed in information provided by other members. Annex C describes the Traffic Light Protocol, a mechanism widely used in information sharing communities to indicate the permitted distribution of information. Annex D contains some examples of models for organizing an information sharing community. 4.2 Information sharing communities To be effective, information sharing communities must have some common interest or other relationship to define the scope of the shared sensitive information. For example, communities may be market sector specific, and limit membership to organizations within that one sector. Of course, there may be other bases for common interest, for example, geographical location or common ownership. There must also be trust between members, in particular that all members will follow the information sharing agreement. 4.3 Community management Information sharing communities will be created from independent organizations or parts of organizations. There may, therefore, not be clear or uniform organizational structures and management functions applying to all members. For information security management to be effective, management commitment is necessary. Therefore, the organizational structures and management functions applying to community information security management should be clearly defined.Differences among member organizations of an information sharing community should also be considered. The differences could include: — differing legal or regulatory environments, — whether member organizations already operate their own ISMS, and — member rules on protections of assets and information disclosure. 4.4 Supporting entities Many information sharing communities will choose to establish or appoint a centralized supporting entity to organize and support information sharing. Such an entity can provide many supporting controls such as anonymization of source and recipients more easily and efficiently than where members communicate directly. There are a number of different organizational models that can be used to create supporting entities. Annex D describes two common models, the Trusted Information Communication Entity (TICE) and the Warning, Advice and Reporting Point (WARP).