Wednesday, July 4, 2007

How is ISO27000 Related to ISO 31000 And BS31100?

The answer is: we don't know! So why ask the question? Because it probes the relationship between different aspects of risk assessment, and different sets of standards.

We tripped upon two holding sites: one for ISO 31000 and one for BS31100. Scratching the surface with both ISO and BSI didn't reveal too much extra. However, it does appear that these BOTH address risk management at a corporate/organizational level. Security risk assessment is part of this, but only part of it.

Why 31000 and 31100? Clearly this similarity indicates SOME relationship and forethought, but at this stage we could not determine specifically what this was. It does appear that BS31100 is much closer to fruition than ISO31000, but how they are related will be interesting to determine, as will the scope for BS31100 to become ISO 31100 or perhaps ISO 31001.

The precise relationship between these and BS7799-3, and/or ISO27005, will also be interesting to see. There will surely be cross reference between these, as there are logical relationships between them. How much further that goes remains to be seen.

This does illustrate however that it isn't just the ISO2700 series which is 'shrouded in mystery', but others too. For those of us who thrive on clarity, it is a bit of a nightmare!

Labels: , , , ,

posted by ISO 27001 Reporter @ 7:21 AM   0 Comments  

Saturday, June 30, 2007

ISO 27000: Where Are We?

The ISO 27000 series of information security standards is a moving feast. This is a 'live page' which will be kept current with the latest situation as we understand it.

ISO 27000
Not yet published. It will define vocabulary and definitions for the rest of the series.

ISO 27001
Published. This is the specification for an ISMS

ISO 27002
Awaiting publication. This will be the rename of ISO 17799.

ISO 27003
Not yet published. This will be an implementation guide.

ISO 27004
Not yet published. This will cover measurement and metrics for information security management.

ISO 27005
Not yet published. This will cover information security risk management, and is likely to be based upon BS7799-3.

ISO 27006
Published. This is a formal guide to the certification and registration process.

ISO 27007
Not yet published. This will cover the audit process for an ISMS

ISO 27031
Not yet published. This standard will cover ICT business continuity planning.

ISO 27032
Not yet published. This is currently a proposed standard for internet security.

ISO 27799
Awaiting publication. This will be the first industry specific version of ISO 27002. It is focused upon the health sector.

Labels: , , , , , , , , ,

posted by ISO 27001 Reporter @ 8:21 AM   0 Comments