Thursday, July 19, 2007

ISO 17799 to ISO 27002: A Warning

It is well known that ISO 17799 has been renamed to ISO 27002. This was confirmed by the appropriate ISO Technical Committee some weeks ago.

A number of people questioned the need for this, and have asked why this couldn't wait until the next upgrade of the standard. Nonetheless, it went ahead, and we waited for the renamed copy to be made available.

Here is the crux though: ISO have now made this available... BUT.... it is simply ISO 17799:2005 with a single accompanying PDF sheet stating "Replace '17799' with '27002'". Seriously, that is it!

So the warning is that if you already have a copy of ISO 17799:2005 and were thinking of buying another copy to replace it, don't, unless the situation changes (and it may not).

If you don't have a copy of ISO 17799:2005 and were thinking of buying a copy of ISO 27002, go for ISO 17799:2005 instead if you can find that cheaper than ISO offer it for (and you can), unless the situation changes (and it may not).


We will continue to monitor the situation and will immediately post any changes which we identify.

Labels: , , ,

posted by ISO 27001 Reporter @ 1:21 AM   0 Comments  

Saturday, June 30, 2007

ISO 27000: Where Are We?

The ISO 27000 series of information security standards is a moving feast. This is a 'live page' which will be kept current with the latest situation as we understand it.

ISO 27000
Not yet published. It will define vocabulary and definitions for the rest of the series.

ISO 27001
Published. This is the specification for an ISMS

ISO 27002
Awaiting publication. This will be the rename of ISO 17799.

ISO 27003
Not yet published. This will be an implementation guide.

ISO 27004
Not yet published. This will cover measurement and metrics for information security management.

ISO 27005
Not yet published. This will cover information security risk management, and is likely to be based upon BS7799-3.

ISO 27006
Published. This is a formal guide to the certification and registration process.

ISO 27007
Not yet published. This will cover the audit process for an ISMS

ISO 27031
Not yet published. This standard will cover ICT business continuity planning.

ISO 27032
Not yet published. This is currently a proposed standard for internet security.

ISO 27799
Awaiting publication. This will be the first industry specific version of ISO 27002. It is focused upon the health sector.

Labels: , , , , , , , , ,

posted by ISO 27001 Reporter @ 8:21 AM   0 Comments  

ISO 27002 Status

There is no real rush: ISO 27002 is simply the re-publication of ISO 17799, but with a different name. Why this is deemed necessary as an interim publication, rather than at the next upgrade, is unclear. However, the momentum behind the ISO 27000 series concept has driven the decision in this direction.

The original intention was to rename ISO 17799 in April 2007. Due to several factors, this did not occur. The decision to press ahead though was endorsed in May at a meeting of the appropriate ISO sub-committee (SC 27).

Despite this, a search of all the major internet webstores and a scan of the websites of the standard bodies indicates that ISO 27002 is still not available.

We will update this post when this position changes.

Labels: ,

posted by ISO 27001 Reporter @ 8:13 AM   0 Comments