We are continuing the review of information security standards containing guidelines and good practices. This article will cover the ISO / IEC 27000 family standard and it will be ISO/IEC 27011 Information technology – Security techniques – Code of practice for information security auditing based on ISO/IEC 27002 for telecommunications organizations.

ISO 27011 provides guidelines to help telecommunications organizations implement the information security controls in Annex A of ISO/IEC 27001 (detailed in ISO/IEC 27002).

The use of the recommendations contained in the ISO/IEC 27011 standard will allow telecommunications organizations to meet the basic requirements of information security management regarding confidentiality, integrity, availability and other important security properties.

We will consider the basic concepts of telecommunications in more detail.

Confidentiality

Protection of the confidentiality of information related to telecommunications against unauthorized disclosure. This implies non-disclosure of messages regarding the existence, content, source, destination, date and time of the information provided.

Zobacz podobne  The ISO 15378 standard, i.e. GMP for pharmaceutical packaging manufacturers

It is extremely important that telecommunications organizations ensure that the nondisclosure of the communications they support is not violated. This includes ensuring that those involved by the telecommunications organization maintain the confidentiality of any information relating to others that may be disclosed in the course of their job responsibilities.

It is also worth noting that the term “secret of communication” is used in some countries in the context of “non-disclosure of communication”.

Integrity

Protection of the integrity of telecommunications information includes inspection of the installation and use of telecommunications equipment to ensure the authenticity, accuracy and completeness of information sent, transmitted or received by wire, radio or any other method.

Availability

The availability of telecommunication information includes ensuring that access to the equipment and medium used to provide communication services is authorized, regardless of whether the communication is by wire, radio or any other means. Typically, telecommunications organizations prioritize emergency communications, managing the unavailability of less important communications in accordance with regulatory requirements.

Zobacz podobne  Supervision over measuring instruments - metrological consistency

Telecommunications organizations provide telecommunications services by facilitating customer communication through their infrastructure. To provide telecommunications services, telecommunications organizations must combine and / or share their services and facilities and/or use the services and facilities of other telecommunications organizations. In addition, locations such as radio, antenna locations, ground cables, and utilities may be available not only to organization personnel but also to contractors and suppliers outside the organization.

Therefore, information security management in telecommunications organizations is complex, potentially:

  • depending on external sites;
  • the need to cover all areas of network infrastructure, service applications and other facilities;
  • a range of telecommunications technologies (e.g. wired, wireless or broadband);
  • supporting a wide variety of operational scales, service areas and service types.
Zobacz podobne  Tools that help auditors to conduct internal audits

In addition to applying the security objectives and controls described in ISO/IEC 27002, telecommunications organizations may need to implement additional controls to ensure the confidentiality, integrity, availability and other security features of telecommunications to adequately manage information security risks.

In summary, the ISO/IEC 27011 standard contains interpretative guidelines for the implementation and management of information security objectives in telecommunications organizations based on ISO/IEC 27002. The recipients of the standard are mainly telecommunications organizations and persons responsible for information security; together with security vendors, auditors, telecommunications terminal vendors and application content vendors.

 

Sources used:

ISO/IEC 27011: 2020 Information technology – Security techniques – Code of practice for information security control based on ISO/IEC 27002 for telecommunications organizations

Scroll to Top