Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Jul 25, 2016

ISO27k standards status update

I spent my weekend catching up with a backlog of ISO/IEC JTC1/SC 27 emails, updating ISO27001security.com to reflect my personal understanding of the current status on all the ISO27k standards. 


A few items of note: 
  1. Terminology continues to be a problem for the committee. ISO/IEC 27000 isn’t working out very well. Although there are obvious advantages in everyone agreeing on the terms and definitions, it causes dependencies between standards projects. There are lingering disagreements over the meanings of terms such as ‘information asset’ and ‘cyber’ (currently undefined), and bureaucratic delays in publishing the free version of the standard. The standard might become an online glossary but whether that will help or hinder is uncertain. [The current online glossaries are not exactly paragons of web design and functionality – take a look at the ISO Online Browsing Platform (OBP) and/or the IEC’s equivalent International Electrotechnical Vocabulary (IEV, a.k.a. Electropedia) and see what you think.]
  2. The updated versions of ISO/IEC 27003 (ISMS implementation guide) and ISO/IEC 27004 (metrics) are nearing release, possibly before 2017. Both are (in my opinion) huge improvements over the current versions, recommended reading for everyone on this Forum when they are released.
  3. The project to update ISO/IEC 27005 ('information security risk management'*) has been canned. It was a victim of its own success in that lots of creative changes were proposed, derailing the project from its core objective to update the standard to reflect the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002. It ran out of time on the ISO-imposed project timescale. The update project should be restarted with a more tightly-defined scope, meaning that those ‘creative changes’ may be held over to a subsequent version, or might possibly surface in other ISO27k standards.
  4. Within ISO27k, several cloud security and eForensics standards are nearing completion, plus others on application security and incident management. The committee is as busy as ever, especially given that ISO27k is only about half of its remit (there is a parallel programme of identity management, privacy and other IT security standards). There are lots of liaisons, too, coordinating things with other ISO committees, industry bodies and specialist groups. 
This is all ‘unofficial’ info: if that matters to you, please check with ISO/IEC or your national standards body for the ‘official’ version, without my errors, cynicism and bias. And please put me right if I am wrong or off-base. I’d welcome other perspectives. Please join the free ISO27k Forum to discuss this further with more than 3,000 other fans of the ISO27k standards.

Regards, 
Gary (Gary@isect.com)

* It's really about the management of 'information risk' but that term is not yet used within ISO27k, unfortunately. I'm working on it.