lunes, 20 de abril de 2009

ISO / IEC 27011:2008 (Guía de gestión de seguridad de la información específica para telecomunicaciones)

Conforme vayan siendo publicadas, iré comentando algunas otras normas que van a empezar a ir viendo la luz como extensión del marco ISO 27000 relativo a la seguridad de la información.
Los proyectos en proceso y publicados por el Subcomité 27 se pueden consultar en el siguiente enlace.
El pasado mes de diciembre vió la luz la norma ISO 27011:2008 que es un desarrollo del marco de controles ISO 27002 diseñado específicamente para el sector de las telecomunicaciones. El título de esta nueva norma es Information technology - Security techniques - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002.

ISO 27011:2008 como la norma ISO 27799:2008 desarrollada para el sector sanitario son extensiones de la norma ISO 27002:2005 contemplada como un catálogo básico de controles que puede ser utilizado para implantar un SGSI. Tal como establece la norma ISO 27001:2005, a la hora de seleccionar controles se pueden elegir aquellos que figuran como Anexo A y que se corresponden con ISO 27002 o bien aquellos controles que la organización entienda que pueden ser interesantes o de aplicación. Por tanto, vamos a ir viendo aparecer normas de seguridad que son extensiones a medida de los diferentes sectores que están intentando establecer un conjunto de medidas de seguridad acordes con sus necesidades específicas.

.............................................................................................................................................


Information technology - Security techniques - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
.
Abstract
The scope of this Recommendation International Standard is to define guidelines supporting the implementation of information security management in telecommunications organizations.
The adoption of this Recommendation International Standard will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property. [ISO.org]
This ISMS implementation guide for the telecomms industry has been developed jointly by ITU-T and ISO/IEC JTC1/SC27. It is published jointly as ITU-T X.1051 and ISO/IEC 27011.
ITU-T Recommendation X.1051 Information security management system – Requirements for telecommunications (ISMS-T) was originally published in English in July 2004, followed by Spanish, French and Russian translations in 2005. It is based on the ISMS standards extant at that time i.e.:
- ITU-T Recommendation X.800 (1991), Security architecture for Open Systems - Interconnection for CCITT applications.
- ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end communications.
- ISO 9001:2000, Quality management systems – Requirements.
- ISO 14001:1996, Environmental management systems – Specification with guidance for use.
- ISO/IEC 17799:2000, Information technology – Code of practice for information security management (now known as ISO/IEC 27002).
- ISO/IEC Guide 73:2002, Risk management – Vocabulary – Guidelines for use in standards.
- BS 7799-2:2002, Information Security Management Systems – Specification with Guidance for use (now known as ISO/IEC 27001).



The summary states:

For telecommunications organizations, information and the supporting processes, telecommunications facilities, networks and lines are important business assets. In order for telecommunications organizations to appropriately manage these business assets and to correctly and successfully continue their business activities, information security management is extremely necessary. This Recommendation provides the requirements on information security management for telecommunications organizations.
This Recommendation specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system (ISMS) within the context of the telecommunication's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual telecommunications or parts thereof.” [www.iso27001security.com]

No hay comentarios: