SPECIALISTS IN INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)
Societal Security — Business continuity management systems — requirements
ISO 22301, with its grand title of “Societal Security”, is the ISO replacement for BS 25999-2:2007 and was published on 15 May 2012. It is of particular interest to us, because, like the revised version of 27001, it also conforms to the new ISO directives for the High Level Structure and Identical Core Text for management system standards. Let’s see how they do it.
The first point to note (page iii of the standard) is that the overall structure in terms of the new ISO directives is as to be expected. The second is that in the forward there is a section on the PDCA model, which is a surprise as its use is depreciated by the new ISO directives. More importantly, however, is that the operational components of BS 25999 — business impact analysis and risk assessment, business continuity strategy, procedures, exercising and testing — are all in one place. The new version of ISO/IEC 27001 splits them between Planning (Clause 6) and Operation (Clause 8). Who got it right, and does it really matter?
ISO 22301 was published on 15 May 2012, which is about six weeks after the publication of the new ISO directives. There would probably have not been enough time to incorporate the final Identical Core Text changes into ISO 22301, and therefore ISO 22301 may conform to an earlier version of Draft Guide 83.
The only way to tell is to compare the Identical Core Text with that in Annex SL of the new directives (or previous versions of Guide 83 if you have them). However, when we do that, we find that ISO 22301 is a mixture. For example, the Identical Core Text in Sections 4.3 and 4.4 is the same as that in new ISO directives, whereas that in Section 4.1 and 4.2 come from a previous version (June 2011, actually). We might therefore conclude that it is a hybrid — a pick and mix from different versions of Guide 83. However, the correct way to think of it is that it accords totally with the new ISO directives, but that there are deviations, which in this case is a reversion to earlier Guide 83 text.
The standard states that it uses the PDCA model to ensure a degree of consistently with other management system standards, which it will of course do until they have all been revised to accord with the new ISO directives. Nevertheless there is a useful list in Section 0.3 that relates Clauses 4 — 10 to the PCDA model. The diagram is identical to that in BS 25999-2:2007, save for a few cosmetic changes.
Of particular interest, when compared with ISO/IEC 27001, is that it points out that the “content of Clause 6 differs from establishing risk treatment opportunities stemming from risk assessment, as well as business impact analysis (BIA) derived recovery objectives.” This appears to be ISO 22301’s way of drawing a distinction between planning actions (Section 6.1) to address the risks and opportunities (identified by the requirements of Section 4.1) and the meat of business continuity planning that derives from a consideration of the risks of disruption. However, why should not the risk of disruption be one of the issues that are identified by the requirements of Section 4.1? From a mathematical perspective there are some interesting laws concerning requirements standards. Why not read them and judge for yourself if ISO 22301 has got it right.
The definition of some business continuity terms differ from the definitions given in BS 25999-2:2007. Sources are quoted for some definitions and are either ISO 22300 or ISO Guide 73. Definitions that come from Annex SL are unquoted (e.g. organisation).
The definition of risk in Annex SL was changed in December 2011 to “effect of uncertainty”. ISO 22301 uses the definition given in the October 2010 version of Guide 83 which is the same as that in ISO Guide 73: “effect of uncertainty on objectives”. Thus the definition of risk in ISO 22301 is another deviation from the revised ISO directives.
It is understood that the phrase “on objectives” was dropped from the definition as a result of lobbying from the environmental standards people (ISO 14000). The definition of the term objective is “result to be achieved”, which therefore implies that a risk only exists if the organisation intended to do something. This conclusion logically follows from the definition of organisation which is “person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives”, and it is these objectives that are being referred to in the ISO Guide 73 definition of risk. The argument, we believe from the environment people, was that such a definition is not guaranteed to cover collateral damage. An oil company, for example, may well have the stated objective of extracting oil from under the sea, but the risk of pollution — in accordance with the ISO Guide 73 definition of risk— would only exist if the organisation had also stated that another of its objectives was not to pollute the environment or spill oil into the sea. By dropping the phrase, “on objectives”, the risk of pollution is no longer dependent on whether non-pollution, etc is an objective of the organisation or not. It does mean, of course, that if an organisation does not have an information security objective concerning confidentially and integrity of personal information then there is no risk. However, in the UK, the organisation is subject to the Data Protection Act, and therefore there is a risk that it could be prosecuted and fined for a breach of that law. In accordance with the Guide 73 definition there is, however, no risk, which is clearly silly, and we feel that the Annex SL definition is correct. It will be interesting to see how other standards committees deal with this.
Note that ISO 31000 does not define the term objective, and it therefore takes on it Oxford English Dictionary definition: “a thing aimed at or sought; a goal”, which is not dissimilar to the Annex SL definition. Consequently, we believe that the problem has not arisen because of the amalgamation of the Guide 83 and ISO Guide 73 vocabularies, but is merely one of this need to cover collateral damage.
Of note, making ISO 31000 objectives based is something that TC262 (the responsible standards committee) considers to be of paramount importance, and in SC27 it was agreed to retain the Guide 73 definition in ISO/IEC DIS 27001.
The section on risk assessment (Section 8.2.3) mentions ISO 31000 in a note. The requirements are quite slender (13 lines in total), effectively:
The original idea behind Guide 83 is that management system standards had to conform strictly to the High Level Structure and Identical Core Text given in Guide 83. However, with the publication of the new ISO directives, deviations are allowed provided that they are reported to ISO’s Technical Management Board (TMB) with a “good rationale”. We believe that this facility has been introduced to adjust the Identical Core Text if it prevents a standards committee from expressing the discipline specific requirements in the manner that it needs. Its purpose is not to allow “improvements” to be made, although some National Body experts disagree on this latter point. Let’s see how ISO 22301 deals with deviations.
Going through the standard, we note:
One of the ideas in Guide 83 was to distinguish Identical Core Text from Discipline-specific text. In the revision of ISO/IEC 27001 we use two colours: blue for Identical Core Text and black for ISMS specific text. Given the facility for deviations, we actually need three colours: a third, say brown to identify deviations from the Identical Core Text. ISO 22301 does none of this. The lay reader will be oblivious to the existence of the High Level Structure and Identical Core Text (until, of course, they read another new management system standard or the ISO directives).
If the reader is familiar with BS 25999-2:2007 they may look for terms such as preventive action and wonder where they have gone. There is no explanation for this, but they are actually catered for by the requirements of 6.1.
Discipline-specific text has been added as follows:
We also note that whereas the new ISO directives require the use of the term documented information, ISO 22301 continues to use the traditional phraseology of a “documented XYZ…”. Nevertheless, it uses the word “record” consistently as a verb, which is correct. There are also many duplicate requirements, which is perhaps not the best way of doing things in a requirements standard.
The new standard clearly accords with the new ISO directives for a High Level Structure and Identical Core Text, albeit with some deviations.
There do not appear to be any requirements that are additional to BS25999-2:2007.
|© Gamma Secure Systems Limited, 2013|