Even since I joined ISO sub-committee 27 (SC27) meeting in Kyoto in 2006, April has been a month that I’ve been longing for. Every year in April and October, security experts and national delegations meet together face-to-face and exchange ideas and observations in information security development and trends. The well known ISO 27001 ISMS and ISO 27002 Control Objectives are the results of SC27 meetings.
There are 5 working groups focus on different matters (as listed below) and I have been participated mainly in WG 1 and WG5. This year there is a new standard at the draft stage and will be an important addition to the ISO 27000 series.
ISO/IEC JTC 1/SC 27/WG 1
Information security management systems
ISO/IEC JTC 1/SC 27/WG 2
Cryptography and security mechanisms
ISO/IEC JTC 1/SC 27/WG 3
Security evaluation, testing and specification
ISO/IEC JTC 1/SC 27/WG 4
Security controls and services
ISO/IEC JTC 1/SC 27/WG 5
Identity management and privacy technologies
My old friend, Dale Johnstone and other authors are finalising comments on ISO 27102 Security techniques -- Information security management guidelines for cyber insurance. This document is a guideline document not a standard and its objective is to understand risk treatment options and integrate cyber insurance in overall security management framework.
"ISO 27102 provides guidelines for adopting cyber insurance as a risk treatment option to manage the impact of a cyber incident within the organization’s information security risk management framework," according to ISO/IEC JTC 1/SC27 DIS 27102 – Information security management guidelines for cyber insurance.
I have been following the document development and also reviewed technical and editor comments (a total of 44 pages). The editors recognise the importance of cyber insurance but there is a gap in understanding the new type of risk control and risk transfer using insurance coverage. It is a challenging task since this market is still evolving. Usually, ISO as an international organisation releases documents when the product and service is well established in the market. This time ISO SC27 editors are taking the leading role and develop ISO 27102 at the time when cyber insurance market is growing. An internationally agreed and standardized wordings will assist security managers and technology risk managers in selecting and comparing a risk based risk transfer plan.
After April 2019 Tel Aviv meeting, we shall know the next step in the release of ISO 27102. If you are interested in viewing the draft document, you can participate in ISO meeting via your national standization body or buy a preview copy at
Our team based in Hong Kong are working with brokers, insurers and technology providers in protecting company digital assets. Subscribe to our newsletter and will get lastest news.