ISO 22396:2020 pdf free.Security and resilience – Community resilience – Guidelines for
information exchange between organizations.
An information security management system should be an integrated part of the information exchange structure. Security aspects should be taken into account in the structuring of processes, systems and controls. An information security management system should include several controls on information assets.
As a first step in the process of establishing the information exchange, the participating organizations should create and agree upon a classification scheme for the information, taking into consideration how the information exchange arrangement will relate to already established protocols and concepts. The classification of information should be made in accordance with value, criticality and sensitivity to unauthorized disclosure or modification. Legal requirements can apply. The classification should indicate the value of the asset in terms of confidentiality, integrity and availability, and should be continuously updated throughout the whole life cycle.
The classification of information is an exclusive decision of the organization (private or public) owning the information and is decided based on operational concerns and/or the sensitivity of information.
Examples of information classification systems include the following.
— Information security management systems (see the ISO/IEC 27000 family of standards): such a framework protects the confidentiality of the information, as well as its correctness and availability by managing risks and bringing trust to the involved parties.
— The traffic light protocol (TLP): the information classification system TLP is meant to encourage greater sharing of sensitive information between organizations. It allows the source of information to tag it with a colour, specifying to the recipient the terms of further distribution or disclosure. If a wider distribution than what the coding permits is required, the recipient must first consult the source who has the last word. The TLP requires a certain trust amongst the participators. The sharer must trust the receivers enough to not over-tag the in formation, and the receivers must trust the sharer’s reasons for tagging it with a certain colour and respect those limitations. (See Annex A.)
An information security management system should be an integrated part of the information exchange structure. Security aspects should be taken into account in the structuring of processes, systems and controls. An information security management system should include several controls on information assets.
As a first step in the process of establishing the information exchange, the participating organizations should create and agree upon a classification scheme for the information, taking into consideration how the information exchange arrangement will relate to already established protocols and concepts. The classification of information should be made in accordance with value, criticality and sensitivity to unauthorized disclosure or modification. Legal requirements can apply. The classification should indicate the value of the asset in terms of confidentiality, integrity and availability, and should be continuously updated throughout the whole life cycle.
The classification of information is an exclusive decision of the organization (private or public) owning the information and is decided based on operational concerns and/or the sensitivity of information.
Examples of information classification systems include the following.
— Information security management systems (see the ISO/IEC 27000 family of standards): such a framework protects the confidentiality of the information, as well as its correctness and availability by managing risks and bringing trust to the involved parties.
— The traffic light protocol (TLP): the information classification system TLP is meant to encourage greater sharing of sensitive information between organizations. It allows the source of information to tag it with a colour, specifying to the recipient the terms of further distribution or disclosure. If a wider distribution than what the coding permits is required, the recipient must first consult the source who has the last word. The TLP requires a certain trust amongst the participators. The sharer must trust the receivers enough to not over-tag the in formation, and the receivers must trust the sharer’s reasons for tagging it with a certain colour and respect those limitations. (See Annex A.)
ISO 22396 pdf download.