ISO/IEC TR 27103:2018
(Main)Information technology — Security techniques — Cybersecurity and ISO and IEC Standards
Information technology — Security techniques — Cybersecurity and ISO and IEC Standards
ISO/IEC TR 27103:2018 provides guidance on how to leverage existing standards in a cybersecurity framework.
Technologies de l'information — Techniques de sécurité — Cybersécurité et normes ISO et IEC
General Information
Relations
Standards Content (Sample)
TECHNICAL ISO/IEC TR
REPORT 27103
First edition
2018-02
Information technology — Security
techniques — Cybersecurity and ISO
and IEC Standards
Technologies de l'information — Techniques de sécurité —
Cybersécurité et normes ISO et IEC
Reference number
ISO/IEC TR 27103:2018(E)
©
ISO/IEC 2018
---------------------- Page: 1 ----------------------
ISO/IEC TR 27103:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC TR 27103:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Document structure . 1
5 Background . 1
5.1 General . 1
5.2 Advantages of a risk-based approach to cybersecurity . 2
5.3 Stakeholders . 2
5.4 Activities of a cybersecurity framework and programme . 2
6 Concepts . 3
6.1 Overview of cybersecurity frameworks . 3
6.2 Cybersecurity framework functions . 3
6.2.1 Overview . 3
6.3 Identify . 4
6.4 Protect . 5
6.5 Detect . 6
6.6 Respond . 7
6.7 Recover . 7
Annex A (informative) sub-categories . 9
Annex B (informative) Three principles and ten essentials of the cybersecurity for
top management .20
Bibliography .23
© ISO/IEC 2018 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC TR 27103:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2018 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC TR 27103:2018(E)
Introduction
Security on the Internet and other networks is a subject of growing concern. Organizations around the
world, in both government and industry sectors, are seeking ways to address and manage cybersecurity
risks, including via baseline cybersecurity measures that can be implemented as requirements or
guidance. The demonstrated security and economic value of utilising existing best practices to develop
approaches to cyber risk management has led organizations to assess how to use and improve upon
existing approaches.
Perspectives, and consequent approaches, to risk management are affected by the terminology used,
e.g. “cybersecurity” versus “information security”. Where similar risks are addressed, this different
perspective can result in “cybersecurity” approaches focusing on external threats and the need to use
information for organizational purposes, while, in contrast, ”information security” approaches consider
all risks whether from internal or external sources. There can also be a perception that cybersecurity
risks are primarily related to antagonistic threats, and that a lack of “cybersecurity” can create worse
consequences to the organization than a lack of “information security”. Thus, cybersecurity can be
perceived as more relevant to the organization than information security. This perception can cause
confusion and also reduces the effectiveness of risk assessment and treatment.
Regardless of perception, the concepts behind information security can be used to assess and manage
cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive
and structured manner, and ensure that processes, governance and controls exist and are fit for
purpose. This can be done through a management systems approach. An Information Security
Management System (ISMS) as described in ISO/IEC 27001 is a well proven way for any
organization to implement a risk-based approach to cybersecurity.
This document demonstrates how a cybersecurity framework can utilize current information security
standards to achieve a well-controlled approach to cybersecurity management.
© ISO/IEC 2018 – All rights reserved v
---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/IEC TR 27103:2018(E)
Information technology — Security techniques —
Cybersecurity and ISO and IEC Standards
1 Scope
This document provides guidance on how to leverage existing standards in a cybersecurity framework.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
information security
preservation of confidentiality, integrity and availability of information
[SOURCE: ISO/IEC 27000:2016 2.33]
4 Document structure
This document provides background on the reasons why having a risk-based, prioritized, flexible,
outcome-focused, and communications-enabling framework for cybersecurity is important. It then
describes the objectives of a strong cybersecurity framework and includes mapping to existing
standards that can be used to achieve these objectives.
5 Background
5.1 General
Cybersecurity is a relatively new discipline. ISO, IEC, and ISO/IEC standards developed over the last 25
years can be applied to help solve the challenges of cybersecurity. Existing and emerging cybersecurity
frameworks throughout the world reference ISO, IEC, and ISO/IEC standards as useful sources of
information.
Implementing cybersecurity framework, or a cybersecurity programme, requires a consistent and
iterative approach to identifying, assessing, and managing risk and evaluating implementation of the
framework. ISO/IEC 27001 already provides a risk management framework that can be applied to
prioritize and implement cybersecurity activities within an organization.
© ISO/IEC 2018 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC TR 27103:2018(E)
5.2 Advantages of a risk-based approach to cybersecurity
A risk-based approach to cybersecurity:
— enables organizations to measure the impact of cybersecurity investments and improve their
cybersecurity risk management over time;
— is prioritized, flexible, and outcome-focused;
— enables organizations to make security investment decisions that address risk, implement risk
mitigations in a way that is most effective for their environments, and advance security improvements
and innovations;
— facilitates communication across boundaries, both within and between organizations;
— is responsive to the actual risks faced by an organization, while recognizing that organizational
resources are limited;
— reflects a clear understanding of the organization’s particular business drivers and security
considerations;
— allows an organization to manage risks in ways that are consistent with their own business
priorities;
— enables organizations to have flexibility in a rapidly changing technology and threat landscape, and
helps to address the varying needs of organizations and sectors.
More detailed and prescriptive guidance (e.g. detailed standards and guidelines) required by specific
stakeholders for specific purposes can be provided on demand. Organizations that implement a risk-
based cybersecurity framework can therefore take advantage of the benefits without being limited by
the need for a full set of detailed implementation guidance.
5.3 Stakeholders
Stakeholders need to play an active role, beyond protecting their own assets, in order for the organization
to realize the benefits of a connected global environment. Internet-enabled systems and applications
are expanding beyond the business-to-business, business-to-consumer, and consumer-to-consumer
models, to include many-to-many interactions and transactions. Individuals and organizations need to
be prepared to address emerging security risks and challenges and effectively prevent and respond to
misuse and criminal exploitation.
5.4 Activities of a cybersecurity framework and programme
The activities of a cybersecurity framework and programme are:
a) describe the organization’s current cybersecurity status;
b) describe the organization’s target state for cybersecurity;
c) identify and prioritize opportunities for improvement;
d) assess progress toward the target state;
e) communicate among internal and external stakeholders about cybersecurity risk.
2 © ISO/IEC 2018 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC TR 27103:2018(E)
6 Concepts
6.1 Overview of cybersecurity frameworks
A cybersecurity framework captures a set of desired cybersecurity outcomes that are common across
all sectors and organizations. A framework facilitates communication about implementation of these
desired outcomes and associated cybersecurity activities across the organization, from the executive
level to the implementation and operations levels. The framework should consist of five functions, or
high-level descriptions of desired outcomes, which are concurrent and continuous:
— Identify;
— Protect;
— Detect;
— Respond;
— Recover.
When considered together, these functions provide a high-level, strategic view of an organization’s
management of cybersecurity risk. Within each function, there are also categories and sub-categories,
a prioritized set of activities that are important for achieving the specified outcomes.
Categories are the subdivisions of a function into groups of cybersecurity outcomes closely tied to
programmatic needs and particular activities. Sub-categories further divide a category into specific
outcomes of technical and/or management activities. They provide a set of results that, while not
exhaustive, help support achievement of the outcomes in each category.
Organizing a cybersecurity framework into multiple levels, such as functions, categories, and sub-
categories, helps to enable communication across boundaries. While many executives can seek to
understand and make investments to more effectively mitigate organizational risk at the level of
functions, operational practitioners can benefit from the more nuanced description of desired outcomes
at the category or sub-category level. Importantly, though, if high-level and more nuanced descriptions
of outcomes are organized within a single reference point that uses a common language, communication
between executives and practitioners is facilitated, supporting strategic planning.
NOTE Annex B provides an example of another cybersecurity framework.
6.2 Cybersecurity framework functions
6.2.1 Overview
Functions organize basic cybersecurity outcomes and activities at their highest level. Important
functions to include in a framework, as noted previously, are:
— Identify;
— Protect;
— Detect;
— Respond;
— Recover.
Each of these functions represents an area that an organization can use to express how it manages
cybersecurity risk. These functions aid in organizing activities, enabling risk management decisions,
addressing threats, and improving by learning from previous experiences.
© ISO/IEC 2018 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC TR 27103:2018(E)
The Identify function develops the organizational understanding to manage cybersecurity risk to
systems, assets, data and capabilities. The activities in the Identify function are foundational for
effective use of the framework. Understanding the business context, the resources that support critical
functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts,
consistent with its risk management strategy and business needs.
The Protect function develops and implements the appropriate safeguards to ensure delivery of critical
infrastructure services. The Protect function supports the ability to limit or contain the impact of a
potential cybersecurity event.
The Detect function develops and implements the appropriate activities to identify the occurrence of a
cybersecurity event. The Detect function enables timely discovery of cybersecurity events.
The Respond function develops and implements the appropriate activities to take action regarding
a detected cybersecurity event. The Respond function supports the ability to contain the impact of a
potential cybersecurity event.
The Recover function develops and implements the appropriate activities to maintain plans for
resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Annex A examines each of the categories and breaks them down into possible outcomes and activities
(sub-categories), demonstrating how to leverage existing ISO and IEC standards to better support the
implementation of relevant activities.
6.3 Identify
The Identify function develops organizational understanding to manage cybersecurity risk to systems,
assets, data and capabilities. The activities in the Identify function are important for effective use of the
framework. Understanding the business context, the resources that support critical functions, and the
related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with
its risk management strategy and business needs. Within this function, there are activities that are
vital to successful cyber risk management. To be able to identify these activities, an organization should
understand its organisational objectives and risk management strategy.
Within the Identify function, the categories that can be included are:
4 © ISO/IEC 2018 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC TR 27103:2018(E)
Table 1 — Identify categories
Category Description References
Business environment The organization’s objectives, ISO/IEC 27001:2013, Clause 4
stakeholders, and activities are
ISO/IEC 27001: 2013, Clause 5
understood and used to inform
roles, responsibilities and risk
ISO/IEC 27036 (all parts)
management decisions. Compre-
ISO/IEC 20243:2015, Clause 4
hensive security measures are
necessary covering the company
IEC 62443-2-1:2010, 4.2.1
itself, its group companies, busi-
ISO 31000:2009, 5.3
ness partners of its supply chain
and IT system control outsourcing
companies.
Risk assessment The organization understands the ISO/IEC 27001:2013, Clause 6
risks to the organization’s opera-
ISO/IEC 27014
tions and assets. The management
are required to drive cybersecuri- ISO/IEC 20243:2015, Clause 4
ty risk measures considering any
IEC 62443-2-1:2010, 4.2
possible risk while in proceeding
with the utilization of IT. ISO 31000
ISO/IEC 38505
Risk management strategy An organization’s approach, the ISO/IEC 27001:2013, 9.3
management components and
ISO/IEC 20243:2015, Clause 4
resources to be applied to the
management of risk. ISO 31000, Clause 4
Governance To monitor and manage the ISO/IEC 27002:2013, Clause 5
organization’s regulatory, legal,
ISO/IEC 27002:2013, Clause 6
environmental and operational
requirements. This information is ISO/IEC 38054
then used to inform the appropri-
ISO/IEC 38505-1
ate levels of management.
ISO/IEC 20243:2015, Clause 4
IEC 62443-2-1:2010, 4.3.2.3
Asset Management Identification and management of ISO/IEC 27002:2013
the systems, data, devices, people
ISO/IEC 20243:2015, Clause 4
and facilities in relation to the
business.
IEC 62443-2-1:2010, 4.2.3.4
ISO/IEC 27019:2017, Clause 7
6.4 Protect
The Protect function develops and implements appropriate safeguards to ensure delivery of resilient
products and services. The Protect function also supports the ability to limit or contain the impact of a
potential cybersecurity event.
Within the Protect function, the categories that can be included are:
© ISO/IEC 2018 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC TR 27103:2018(E)
Table 2 — Protect categories
Category Description References
Access control Limiting access to facilities and ISO/IEC 27002:2013, Clause 9
assets to only authorized entities
ISO/IEC 29146
and associated activities. Included
in access management is entity
ISO/IEC 29115
authentication
IEC 62443-2-1:2010, 4.3.3.5
Awareness and training Ensuring users and stakeholders ISO/IEC 27002:2013, Clause 6, 7
are aware of policies, procedures,
ISO/IEC 20243:2015, Clause 4
and responsibilities relating to
cybersecurity responsibilities. IEC 62443-2-1:2010, 4.3.2.4.2
Data security Responsible for the confidentiality, ISO/IEC 27002:2013, Clause 8
integrity, and availability of data
and information.
Information protection processes Security policies, processes, and ISO/IEC 27002:2013
and procedures procedures are maintained and
used to manage protection of infor-
mation systems.
Maintenance Processes and procedures for ongo- ISO/IEC 27002:2013, Clause 11
ing maintenance and modernization
ISO/IEC 20243:2015, Clause 4
IEC 62443-2-1:2010, 4.3.3
Protective technology Technical security solutions (such ISO/IEC 27002: 2013
as logging, removable media, least
ISO/IEC 27033 series
access principles, and network
protection) IEC 62443-2-1:2010,
Annex A examines each of the categories and breaks them down into possible outcomes and activities
(sub-categories), demonstrating how to leverage existing ISO and IEC standards to better support the
implementation of relevant activities.
6.5 Detect
The Detect function identifies the occurrence of a cybersecurity event in a timely fashion.
Within the Detect function, the categories that can be included are:
Table 3 — Detect categories
Category Description References
Anomalies and events Detection of anomalies and events ISO/IEC 27002:2013, Clause 16
and understanding of the impact
ISO/IEC 27035 (all parts)
of those events.
IEC 62443-2-1:2010, 4.3.4.5
Security continuous monitoring Systems being monitored on a reg- ISO/IEC 27002:2013, Clause 12
ular basis to validate the effective-
ness of security measures in place.
Detection process Processes and procedures to ISO/IEC 27002:2013, Clause 16
ensure timely awareness and com-
ISO/IEC 27035 (all parts)
munication of events.
IEC 62443-2-1:2010, 4.3.4.5
Annex A of this document examines each of the categories and breaks them down into possible outcomes
and activities (sub-categories), demonstrating how to leverage existing ISO and IEC standards to better
support the implementation of relevant activities.
6 © ISO/IEC 2018 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC TR 27103:2018(E)
6.6 Respond
The Respond function develops and implements appropriate activities to take action regarding a
detected cybersecurity event. The Respond function supports the ability to contain the impact of a
potential cybersecurity event.
Within the Respond function, the categories that can be included are:
Table 4 — Respond categories
Category Description References
Response Planning Plan for how to respond to events ISO/IEC 27002:2013, Clause 16
in a timely manner including
ISO/IEC 27035 (all parts)
processes and procedures for
responding to events. IEC 62443-2-1:2010, 4.3.4.5
Communications Processes and procedures for ISO/IEC 27002:2013, Clause 16
communicating the timely infor-
ISO/IEC 27035 (all parts)
mation to relevant parties.
ISO/IEC 27014
Companies need to communi-
cate appropriately with relevant IEC 62443-2-1:2010, 4.3.4.5
parties by, for example, disclosing
information on security measures
or response on regular basis or in
times of emergency.
Analysis Review of detected events, in- ISO/IEC 27002:2013, Clause 16
cluding categorization and impact
ISO/IEC 27035 (all parts)
of events.
IEC 62443-2-1:2010, 4.3.4.5
Mitigation Activities that limit the expansion ISO/IEC 27002:2013, Clause 16
of the event, mitigate the event
ISO/IEC 27035 (all parts)
and stop the event.
IEC 62443-2-1:2010, 4.3.4.5
Improvements Organization reviews the response ISO/IEC 27002:2013, Clause 16
plan and improves it based on les-
ISO/IEC 27035 (all parts)
sons learned during an event.
IEC 62443-2-1:2010, 4.3.4.5
Annex A examines each of the categories and breaks them down into possible outcomes and activities
(sub-categories), demonstrating how to leverage existing ISO and IEC standards to better support the
implementation of relevant activities.
6.7 Recover
The Recover function develops and implements appropriate activities to maintain plans for resilience
and to restore any capabilities or services that were impaired due to a cybersecurity event.
Within the Recovery function, the categories that can be included are:
© ISO/IEC 2018 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO/IEC TR 27103:2018(E)
Table 5 — Recover categories
Category Description References
Recovery planning Plan for how to recover from an ISO/IEC 27002:2013, Clause 16
event and the next steps after an
ISO/IEC 27035 (all parts)
event.
IEC 62443-2-1:2010, 4.4.3.4
Communications Processes and procedures for ISO/IEC 27002:2013, Clause 16
communicating the timely infor-
ISO/IEC 27035 (all parts)
mation to relevant parties.
IEC 62443-2-1:2010, 4.4.3.4
Improvements Organization takes the lessons ISO/IEC 27002:2013, Clause 16
learned during an event and feeds
ISO/IEC 27035 (all parts)
it back into the process and pro-
cedures.
IEC 62443-2-1:2010, 4.4.3.4
Annex A examines each of the categories and breaks them down into possible outcomes and activities
(sub-categories), demonstrating how to leverage existing ISO and IEC standards to better support the
implementation of relevant activities.
8 © ISO/IEC 2018 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC TR 27103:2018(E)
Annex A
(informative)
sub-categories
A.1 General
As described above in Clause 5, effective approaches to cyber risk management are flexible and outcome-
focused, articulated in terms of desired security outcomes rather than dictating how outcomes should
be achieved. However, both outcome-focused and more prescriptive guidance or controls have valuable
functions in cyber risk management; while objectives are likely to remain consistent, controls should
be constantly revised to reflect organizational and industry learnings, changing threat models, and
new security techniques or capabilities. Baseline cybersecurity measures should articulate desired
outcomes, such as functions and categories, and should remain applicable. Such baselines can reference
more prescriptive guidance, such as sub-category activities and associated standards, that can be
updated by governments and industry as they assess rapidly changing technology and threat landscape.
In the context of functions and categories, this annex describes a set of sub-category activities and lists
associated standards, demonstrating how a cybersecurity framework can utilize existing information
security standards.
A.2 Identify sub-categories
A.2.1 Business Environment
Table A.1 describes the activities under the Business Environment category, along with standards that
can support the understanding and implementation of these activities.
Table A.1 — Identify function: Business Environment sub-categories
Description of sub-category Standards mapping
The organization’s role in the supply chain is identified and com- ISO/IEC 27002:2013, 15.1.3, 15.2.1
municated
ISO/IEC 27036-1
ISO/IEC 20243:2015, Clause 4
The organization’s place in critical infrastructure and its i
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.