Welcome to the SecAware blog

I spy with my beady eye ...

25 Jan 2014

ISO/IEC 27000:2014 available now - for FREE!

In the course of catching up with a long backlog of ISO/IEC JTC1/SC27 emails and updating www.ISO27001security.com, I discovered that the third edition of ISO/IEC 27000 has just been released.

Like its predecessors, ISO/IEC 27000:2014 can be downloaded legitimately free of charge through the ITTF site

The idea of '27000 being free is to encourage the adoption of a common glossary of information security terms, and to gain an appreciation of the ISO27k standards outlined within it.  It's a shame the other ISO27k standards aren't also free as I'm sure it would markedly increase their adoption as with the excellent SP800-series security standards from NIST, but unfortunately I don't determine the pricing policies for ISO/IEC.  

Although I haven't even finished reading the new edition and updating the site, I noticed already that the new version no longer defines the terms "asset" and "information asset". I suspect this was done in order to draw to a close the lengthy but rather unedifying SC27 discussions (OK, arguments!) around those contentious terms. Unfortunately, that does rather leave things up in the air. Does “information asset” mean the intangible information content, the tangible storage media, both, or something else? The distinction could be quite important in the context of various ISO27k standards, but I guess organizations using the standards will have to figure out the answers for themselves if the terms are used but not explicitly defined in those standards.

Gary (Gary@isect.com)

UPDATE March 2015: see what I make of the latest draft of the standard.

UPDATE July 2016: the 4th edition is now available for FREE

1 comment: