Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Apr 22, 2017

NBlog April 22 - ISO/IEC 27003 ISMS implementation guide published

ISO/IEC 27003:2017 has been published.  This is a fully revised version of the Information Security Management System (ISMS) implementation guide, originally published in 2010.

The new version is a significant improvement on the 2010 version.  It follows the structure of ISO/IEC 27001, providing pragmatic advice section-by-section on how to satisfy the requirements. I'm happy to recommend it.

The following core ISO27k standards are a sound basis on which to design and implement a management system to manage information risks (for historical reasons, termed "information security risks" or "cybersecurity risks" in the standards):
Unfortunately, ISO/IEC 27005 on information risk management is out-of-line with the set. A revised version of '27005 is not expected to surface for at least a couple of years. Meanwhile, '27003 gives useful advice in this area, while ISO 31000:2009 (a well respected de facto risk management standard) is readily applied to information risks. There are several other information risk management standards, methods and approaches as well, all of which have their advantages and disadvantages: if your organization is already familiar with and using some other approach to risk management, it can probably be applied directly or adapted to suit information risk management.

For more information on the ISO27k standards, ISMS implementation, information risk management and so forth, please browse the ISO27k FAQ. If you are active in this area, you are very welcome to join the 3,500-strong ISO27k Forum. Although it is not 'official' ISO information, it is FREE.