ISO/IEC 27011
ISO/IEC 27011:2016 – Information technology – Security protocols – Information security guidelines based on ISO/IEC 27002 for telecom companies
Introduction
ITU-T and ISO/IEC JTC1/SC27 developed this ISMS implementation guide for telecom industry organizations, the text of which has been published as both ITU-T X.1051 and ISO/IEC 27011.
Scope and objectives
Specifically, this standard:
“Provides guidelines and general principles for establishing, implementing, maintaining, and strengthening information security controls in telecom organizations based on ISO/IEC 27002; [and]
Sets the standards for the implementation of information security controls within telecom organizations to guarantee the confidentiality, integrity and availability of facilities, information and services that are handled, managed, or stored on those facilities or services.”
The content
Furthermore, there are minor modifications of ISO/IEC 27002’s core content and an additional ‘extended control set’ that provides advice to telecoms organizations on access controls, physical security, and environmental security, as well as on communications security and compliance. This document elaborates on network security, addressing “cyber attacks” and network congestion.
The standard’s status
2008 marked the first publication of the standard.
In keeping with the new ISO/IEC 27002 and 27001 versions from 2013, this guideline was revised. The second edition of this book was released in 2016.
A corrigendum was presented in 2018, adding corrections to the title of clause 8.2.1.
The revision project has reached the 4th Working Draft stage. It was titled as “Information security, cybersecurity and privacy protection – Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations”.
Commentary
ITU-T has proposed to extend ISO/IEC 27011 with two new parts, which are:
– Security management Guidelines for Small and Medium-sized telecommunications organizations [X.sgsm]: A document that presents guidance for the implementation of information security management systems based on X.1051 (ISO/IEC 27011);
– Asset Management Guidelines [X.amg]: an essential guide to asset management for telecom companies.
These are not included in ISO/IEC 27011:2016. They may become separate standards, or may be incorporated into the 3rd edition?