Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Apr 17, 2017

NBlog April 17 - ISO/IEC JTC 1/SC 27 meeting

Today I'm off to the University of Waikato in Hamilton for the SC 27 meeting. 

I'm planning to catch up with developments on most if not all of the ISO27k standards, in particular:
  • ISO/IEC 27000 - is this going to be dropped in favour of an online glossary? What happened to the definitions for 'information asset', 'information risk' and 'cyber'? 
  • ISO/IEC 27001 - how did the boilerplate section on 'risk & opportunity' get hijacked as information risk?
  • ISO/IEC 27002 - how is the idea of tagging the controls going to work out? Is that just another recipe for interminable 
  • ISO/IEC 27003 - new version due soon, all done?
  • ISO/IEC 27005 - any chance of this being updated and published soon/ever? And if it is fast-tracked, where next - 'information risk management' maybe?
  • ISO/IEC 27007 - new version due soon, all done?
  • ISO/IEC TR 27008 - new version nearing completion, ready to finalise?
  • ISO/IEC 27017, 27018, 27036 and others - where are we with cloud security standards?
  • ISO/IEC 27021 - is the competency framework well thought out? How will this drive the ISO27k training & qualifications?
  • ISO/IEC 27031 - where does this stand in relation to ISO 22301?
  • ISO/IEC 27034 - is application security getting there?
  • IoT and IIoT security - what's happening?
There are some general issues I'm hoping to chat about too, such as:
  • High level, generic information risk and security principles or axioms as a unifying theme and structural framework
  • SC 27 project governance e.g. requiring all NWIPs to be accompanied by reasonably complete WD1 drafts of proposed standards or be canned; perhaps splitting 27002 into static and dynamic parts, or reducing it to a controls overview standard supported by as many detailed controls standards (i.e. the remainder of the ISO27k suite plus others) as necessary
  • Non-technical, non-IT, non-cyber information, information risks and information security controls, the meaning of 'cyber', and revisiting the scope and purpose of SC 27
  • Explicitly describing the information risks addressed by each of the ISO27k standards
  • Collaborative working practices, filling-in the gaps between SC 27 meetings with discussion and joint development, making the committee more responsive to surging market demands
  • ISO27k marketing e.g. reducing the price of the core standards for a trial promotional period; bulk pricing for sets of standards; advertising; branding; sales and certification figures
  • NZ and Australia shadow committees & collaboration
Most importantly, I'm really looking forward to socialising with committee members from around the world, welcoming them to NZ, renewing old friendships and establishing new ones. About 400 delegates are expected to attend, a massive challenge for someone as shy and retiring as me!

I'll be blogging from Hamilton this week as time permits.

Regards,