Possible missing topics in ISO 27002

Source : http://groups.google.com/group/iso27001security/browse_thread/thread/deeb23bd6dac75cf/d4b58384dfd2183f

Here’s my working shortlist of the areas in question, along with my suggestion of the best fit for these issues in the current structure of the standard where possible:

  • Accountability (section 7 and/or 8)
  • Authentication, identity management, identity theft (section 11)
  • Cloud computing (section 10, 11 or 12)
  • Database security (section 10, 11 or 12)
  • Ethics and trust (*new*)
  • Forensics (section 13)
  • Fraud (*new*?)
  • Governance of information (section 6, or move to ‘27001)
  • Hacking (section 11)
  • IT auditing (section 15.3)
  • Phishing (*new*)
  • Privacy [broader aspects than data protection legal  compliance] (*new*)
  • Resilience and contingency (section 14)
  • SCADA/ICS, embedded systems, safety-critical  systems (section 10 or 12)
  • Security testing, application testing, vulnerability assessments, pen
  • tests etc. (section 12)
  • Social engineering and insider threats (*new*)

While one could argue that several of these are already covered, I personally feel they are not given sufficient emphasis at present.
Typically, the key terms widely used today are either  completely missing or are only vaguely alluded to.

You can also add

  • VoIP
  • Social Networking

Be the first to comment

Leave a Reply

Your email address will not be published.