ISO/IEC 27010:2015 presents strategies on methods, models, processes, policies, controls, protocols and other frameworks for information sharing with trusted counterparties while upholding basic concepts of information security.
The International Electrotechnical Commission (IEC) and the International Organisation for Standardisation (ISO) collectively issued ISO 27010. In addition to instruction provided in the ISO 27000 family, the standard guides the incorporation of information security management across information sharing groups.
ISO 27010 aims at securing shared knowledge of sensitive infrastructures. It proposes standard rules to prevent security issues when transferring confidential information as well as:
ISO 27010 offers guidelines on information security interworking and cooperation between organisations in the same sectors, in separate sectors of industry and with governments.
The standard also sets out guidance for sharing information in times of crisis and protecting vital infrastructure as well as for mutual understanding in normal business circumstances to satisfy legal, regulatory and contractual obligations.
First released in 2012, ISO 27010 received minor editorial changes in 2015. This revision was made to comply better with the 2013 versions of ISO/IEC 27001 and ISO 27002. December 2015 saw the release of the second edition of ISO 27010.
Information sharing, like threat intelligence, comes with its own unique drawbacks and poses several issues. For example, organisations may end up having raw, unevaluated information that adds an extra burden to organisations’ security team by raising the number of incidents and warnings rather than minimising them. Also, some security vendors despise sharing data to avoid damaging their competitive advantage.
ISO/IEC 27000-series of standards discuss some of these problems. All organisations are encouraged to evaluate their risks, then handle them according to their needs, using advice and support where appropriate and using information security controls. ISO/IEC 27010 provides controls and instructions on adopting, implementing, maintaining information security in inter-organisational and inter-sector communications. It also offers guidance and general principles on how to meet defined requirements using existing messaging and other technical methods.
The standard refers to all forms of exchanging and sharing of sensitive information, public and private, nationally and globally, not only just within or between the industry or business sectors. In particular, it can refer to information exchanges and sharing related to providing, sustaining and protecting essential infrastructures of an entity or nation state. Built to promote trust-building while exchanging and sharing confidential information, ISO 27010 facilitates the international growth of information-sharing cultures.
We felt like we had
the best of both worlds. We were
able to use our
existing processes,
& the Adopt, Adapt
content gave us new
depth to our ISMS.
We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.
The standard series ISO/IEC 27000 offers best-practice guidelines on information security management. ISO/IEC 27010:2015 is a sector-specific complement to ISO/IEC 27001:2013 and ISO/IEC 27002:2013 for information sharing communities. In addition to and complementing the generic guidance provided within other members of the ISO/IEC 27000 family of standards, the guidelines found in this international standard. If applicable, ISO 27006 certification bodies can refer to ISO 27010 when issuing the certification.
One aspect in which ISO 27010 defines general approaches to data security elements in the process of drafting and enforcing policies and procedures. Along with training and awareness initiatives for those participating in the process, and likely independent evaluations or audits to confirm compliance with ISO/IEC 27010 and other relevant ISO27k standards.
ISO/IEC 27010:2015 complements ISO/IEC 27001:2013 and ISO/IEC 27002:2013 well. ISO 27010 offers advice on understanding ISO 27001’s criteria when exchanging information between organisations. It also provides additional security measures and knowledge sharing instructions beyond those found in ISO 27002.
ISO/IEC 27001:2013 and ISO/IEC 27002:2013 address information exchange between organisations, but only broadly. Suppose organisations wish to transmit confidential information to several other organisations. In that case, the other organisations must assure the original owner that their use of information would be subject to appropriate security controls by the receiving groups.
Organisations can achieve this confidentiality by creating an information sharing community in which each participant trusts the others to safeguard the shared information, even when organisations may otherwise be competitors.
ISO 27010 introduces a new control in its clause seven that tackles a range of issues that ISO 27002 does not address explicitly, almost contrary to standard non-repudiation conditions. This control includes protecting source anonymity in exchanging information. Although ISO 27002 is suitable for standard “vendor” scenarios, 27010 provides some new resources to handle more complicated situations.
Download your free guide
to streamlining your Infosec
This International Standard is relevant to all businesses and organisations that exchange confidential information, publicly and privately, in all industries. In particular, this can apply to information exchanges and sharing related to providing, sustaining and protecting the essential infrastructure of an entity or nation-state. This is due to the standards promotion of building trust while exchanging and sharing private information.
It will be necessary for any company providing or utilising information sharing tools protected by an information security management system (ISMS). It may also be beneficial for large organisations with geographically dispersed functions exchanging information across departments or locations.
Without trust, an information sharing community can not function. Those supplying information must trust recipients not to reveal or mishandle the data. Those receiving data must trust that the accuracy of the data, subject to any requirements notified by the originator. Both aspects are critical. ISO 27010 requires information sharing communities to demonstrate successful security policies and good practice must be supported. To do this, all group members must adopt a collaborative management system covering the shared information’s security. This system should preferably be an ISMS.
Information sharing may take place between groups where the sharer isn’t aware of all recipients. Sharing information in this way will only work if the communities have sufficient confidence and information-sharing agreements. It is particularly relevant for sharing sensitive information among diverse communities, such as different industries or market sectors.
One scenario in which information is shared is in the event of a data breach. Sharing potential information vulnerabilities and security concerns exemplify the wide variety of problems and benefits that surround sharing information. These information exchanges usually occur under extreme time pressure in a chaotic atmosphere-not the most favourable environment to develop trusting working relationships and agree on adequate security controls. The risk of sharing information regarding security incidents between different entities will depend on the details of the particular situation at hand. However, when done securely, sharing this information can prevent other organisations from encountering the same issues.
ISMS.online makes setting up and managing your ISMS as easy as it can get.
ISO 27010 consists of 18 clauses and 4 annexes.
Clause 1: Scope
Clause 2: Normative references
Clause 3: Terms and definitions
Clause 4: Concepts and justification
Clause 5: Information security policies
Clause 6: Organization of information security
Clause 7: Human resource security
Clause 8: Asset management
Clause 9: Access control
Clause 10: Cryptography
Clause 11: Physical and environmental security
Clause 12: Operations security
Clause 13: Communications security
Clause 14: System acquisition, development and maintenance
Clause 15: Supplier relationships
Clause 16: Information security incident management
Clause 17: Information security aspects of business continuity management
Clause 18: Compliance
Annex A: Sharing sensitive information
Annex B: Establishing trust in information exchanges
Annex C: The Traffic Light Protocol
Annex D: Models for organizing an information sharing community