Friday, November 23, 2007

The ISO 22399 / PAS 22399 Dilemma

The business continuity story just gets stranger and stranger. We have covered this previously, with respect to ISO 27031. However, as events unfold the situation becomes ever more tangled.

To recap, there are a host of developments with respect to business continuity and standardization:

1) We have pondered where BSI's useful looking business continuity management standard BS 25999-1 fits into the equation. Even with respect to their own standard set they also have a related publication PAS77, and are developing a standard BS 25777 from this. The second part of BS 25999 was in fact published this week, and as a specification, third party certification schemes will soon be in place.

2) Even within ISO though, the water is as clear as mud. A new standard, ISO 22399 (specifically ISO/PAS 22399) has just been published. This is a "Guideline for incident preparedness and operational continuity management".

Great: so where does this (ISO22399) fit with respect to ISO 27031? And what about chapter 14 of ISO 27002? Or ISO 27001? Let alone all those developments over at BSI, who seem far more advanced in the area.

One might ask what exactly is going on here? How do all these developments relate? Do ISO actually have any idea themselves?

If they do in fact have a road map or overview of all these overlapping standards, it would be nice if they shared it with the public. Our guess is that no such document exists, which is rather bad news for standardization in this area.

Labels: , , , ,

Wednesday, September 19, 2007

ISO 27000 Standard Groupings

Speculation has recently been rife regarding the future numbering system for the ISO 27000 series of standards. We know as a matter of fact the content areas of ISO 27001 through 27008. We also know about 27011, 27031, 27032, 27033 and 27799.

Although everything else lacks any form of confirmation, there is a logic being frequently quoted which at least gives some credibility to the stories.

The suggestion is that ISO 27010 through ISO 27019 will all cover information security within specific fields and industries. The following have in fact been quoted on a number of Spanish language websites:
  • ISO 27012: Guidelines for Finance
  • ISO 27013: Guidelines for Manufacturing
  • ISO 27015: Accreditation Guidelines
  • ISO 27016: Auditing and Reviews
It is also suggested that ISO 27030 through ISO 27044 will cover the technical areas of information security, such as cyber security, intrusion detection and trusted third party authentication.

Again, there is some supporting evidence for this, but equally, nothing at all in the way of confirmation.

If any reader of this log can clarify any of this, or provide additional information, please comment below.


Labels: , ,

Saturday, August 18, 2007

ISO 2703n: Latest Developments

A little more has emerged on the emerging subset of ISO27k standards ISO27031-40. The following reflects the current position as we understand it.

ISO/IEC 27031
Information technology Information technology – Security Security techniques techniques - ICT readiness for business continuity

ISO/IEC 27032
Information technology - Security techniques - Guidelines for Cybersecurity (Suggested)

ISO/IEC 27033
As referenced in previous articles, this is the revision of ISO 18028. It comprises seven distinct parts:

ISO 27033-1
Information technology Information technology – Security techniques Security techniques - Network security Network security – Guidelines for network security

ISO 27033-2
Information technology Information technology – Security techniques Security techniques - Network security Network security – Guidelines for the design and implementation of network

ISO 27033-3
IT network security - Reference networking scenarios - Risks, design, technologies and control issues

ISO 27033-4
IT network security - Security network information with network security gateways - Risks, design techniques and control issues

ISO 27033-5
IT network security - Secure remote access - Risks, design techniques and control issues

ISO 27033-6
IT network security - Securing communications across networks using Virtual Private Networks

ISO 27033-7
IT network security - Guidelines for the design and implementation of network security


ISO/IEC 27034
Information technology Information technology –Security techniques Security techniques - Guidelines for application security


These at are various stages of the publication process, with at least one still at the proposal stage.

Labels: , , , , ,

Thursday, July 19, 2007

ISO 17799 to ISO 27002: A Warning

It is well known that ISO 17799 has been renamed to ISO 27002. This was confirmed by the appropriate ISO Technical Committee some weeks ago.

A number of people questioned the need for this, and have asked why this couldn't wait until the next upgrade of the standard. Nonetheless, it went ahead, and we waited for the renamed copy to be made available.

Here is the crux though: ISO have now made this available... BUT.... it is simply ISO 17799:2005 with a single accompanying PDF sheet stating "Replace '17799' with '27002'". Seriously, that is it!

So the warning is that if you already have a copy of ISO 17799:2005 and were thinking of buying another copy to replace it, don't, unless the situation changes (and it may not).

If you don't have a copy of ISO 17799:2005 and were thinking of buying a copy of ISO 27002, go for ISO 17799:2005 instead if you can find that cheaper than ISO offer it for (and you can), unless the situation changes (and it may not).


We will continue to monitor the situation and will immediately post any changes which we identify.

Labels: , , ,

Monday, July 16, 2007

And Another Emerges: ISO 27033

The next ISO 27000 series standard is on the starting block: ISO 27033.

On 12th July a formal note was distributed by the appropriate ISO committee (JTC 1 / SC 27) announcing a letter ballot for early revision and renumbering (to 27033) of existing standard 18028.

Obviously, this is the very start of a lengthy process, but the note also revealed the proposed structure of the new standard, which it is proposed would comprise seven parts:

1. Guidelines for network security
2. Guidelines for design/implementation of network security
3. Reference networking scenarios
4. Securing communications between networks using gateways
5. Securing remote access
6. Securing communications across networks using VPNs
7. Guidelines for securing

Momentum for the series continues to increase.

Labels: , ,