ISO IEC TS 27110:2021 pdf download – Information technology, cybersecurity and privacy protection — Cybersecurity framework development guidelines.
5 Concepts 5.1 General The purpose of subclauses 5.2 to 5.6 is to describe the concepts in a cybersecurity framework. These concepts are intended to give a cybersecurity framework creator a starting point. While every cybersecurity framework has different stakeholders and requirements, the concepts below remain constant and, thus, serve as the basis for any cybersecurity framework. The concepts listed below are not intended to provide sufficient detail for implementation of cybersecurity within an organization. These concepts can be arranged in a process model. However, other configurations can work given the cybersecurity framework creator ’s stakeholder requirements. Cybersecurity framework creators can choose to augment the cybersecurity framework with additional concepts which provide value to their stakeholders or satisfy specific requirements. Furthermore, some cybersecurity framework creators can choose to enhance these concepts with categories and subcategories to provide more guidance to their stakeholders or satisfy requirements. Some contexts can warrant a greater level of detail than categories. If that is the case, cybersecurity framework creators may specify additional, more detailed statements that would align at the subcategory level. The concepts presented below are independent of time, context, granularity of scope, and market conditions. While sequence of events, unique operating constraints, and business drivers are all important factors when designing a cybersecurity framework, they are considered implementation details. 5.2 Identify A cybersecurity framework should include the Identify concept. The Identify concept develops the ecosystem of cybersecurity which is being considered. This ecosystem is used when developing the Protect, Detect, Respond and Recover concepts. Examples of ecosystem considerations are: business objectives, business environment, stakeholders, assets, business processes, laws, regulations, threat environment and cyber risks. The Identify concept addresses people, policies, processes and technology when defining the scope of activities. The Identify concept can include many categories relating to scoping particular activities to only those which are relevant. Categories can include: business environment, risk assessment, risk management strategy, governance, asset management, business context analysis and supply chain considerations. The activities in scope of the Identify concept are foundational for cybersecurity. The Identify concept can include an understanding of business context, stakeholders, the cybersecurity ecosystem and dependencies. An organization’s presence in cyberspace, its cyber persona , the business-critical functions and information and their related resources can also be important. The understanding gained from the Identify concept enables a flexible and repeatable view of cybersecurity for an organization to focus and prioritize its efforts. A cybersecurity framework creator should consider evolving cyber threats and emerging technology when designing the Identify concept. Otherwise, the resulting cybersecurity framework can fail to appropriately meet future requirements.