ISO 27000 Standard Groupings

Speculation has recently been rife regarding the future numbering system for the ISO 27000 series of standards. We know as a matter of fact the content areas of ISO 27001 through 27008. We also know about 27011, 27031, 27032, 27033 and 27799.

Although everything else lacks any form of confirmation, there is a logic being frequently quoted which at least gives some credibility to the stories.

The suggestion is that ISO 27010 through ISO 27019 will all cover information security within specific fields and industries. The following have in fact been quoted on a number of Spanish language websites:

• ISO 27012: Guidelines for Finance
• ISO 27013: Guidelines for Manufacturing
• ISO 27015: Accreditation Guidelines
• ISO 27016: Auditing and Reviews

It is also suggested that ISO 27030 through ISO 27044 will cover the technical areas of information security, such as cyber security, intrusion detection and trusted third party authentication.

Again, there is some supporting evidence for this, but equally, nothing at all in the way of confirmation.

If any reader of this log can clarify any of this, or provide additional information, please comment below.

And Another Emerges: ISO 27033

The next ISO 27000 series standard is on the starting block: ISO 27033.

On 12th July a formal note was distributed by the appropriate ISO committee (JTC 1 / SC 27) announcing a letter ballot for early revision and renumbering (to 27033) of existing standard 18028.

Obviously, this is the very start of a lengthy process, but the note also revealed the proposed structure of the new standard, which it is proposed would comprise seven parts:

1. Guidelines for network security
2. Guidelines for design/implementation of network security
3. Reference networking scenarios
4. Securing communications between networks using gateways
5. Securing remote access
6. Securing communications across networks using VPNs
7. Guidelines for securing

Momentum for the series continues to increase.

ISO27000 Interviews

We are planning a series of short interviews with leading industry figures. These will be posted from this page as and when they are published.

The list of early contenders is currently being drawn up. We will then approach the lucky interviewees!

Please return to this page for more information.

How is ISO27000 Related to ISO 31000 And BS31100?

The answer is: we don't know! So why ask the question? Because it probes the relationship between different aspects of risk assessment, and different sets of standards.

We tripped upon two holding sites: one for ISO 31000 and one for BS31100. Scratching the surface with both ISO and BSI didn't reveal too much extra. However, it does appear that these BOTH address risk management at a corporate/organizational level. Security risk assessment is part of this, but only part of it.

Why 31000 and 31100? Clearly this similarity indicates SOME relationship and forethought, but at this stage we could not determine specifically what this was. It does appear that BS31100 is much closer to fruition than ISO31000, but how they are related will be interesting to determine, as will the scope for BS31100 to become ISO 31100 or perhaps ISO 31001.

The precise relationship between these and BS7799-3, and/or ISO27005, will also be interesting to see. There will surely be cross reference between these, as there are logical relationships between them. How much further that goes remains to be seen.

This does illustrate however that it isn't just the ISO2700 series which is 'shrouded in mystery', but others too. For those of us who thrive on clarity, it is a bit of a nightmare!