Hello again from the SC27 meeting. Today we ended our editing of ISO/IEC 27002 having discussed sections 10 through 15 during the week [the earlier sections having been covered in the previous SC27 meeting].  Yesterday, we worked until 10pm to try to cover as much as possible.  We have discussed literally hundreds of comments and proposed changes to the standard: I don't propose to detail them all here but will mention a few specifics that are close to my heart: Structure : many information security controls are relevant to several chapters of the standard, and could therefore be included in several places.  However, the duplication is unhelpful, and wording differences due to the different contexts can be confusing for readers, so as a general rule, we try to describe the controls just once where most relevant and, if appropriate, cross-reference them from the other sections.  This process broke down for the change management control which is currently in both the O...

Here's my unofficial progress update from Singapore, updated Thursday: ISO/IEC 27000 : work has completed.  1st revision of 27000 will be based on the existing/current versions of 27001 and 27002 - a 2nd revision will pick up the revised versions of 27001 and 27002 in due course, plus ISO 27799.  "Management system", "policy" and "stakeholder" terms from JTC1/TMB may cause problems for ISO27k (work in progress).  Will put effort into collecting terms from other teams in a comprehensive and systematic way.  Likely to go to 3rd WD after this meeting. ISO/IEC 27001 : progressing well, likely to upgrade to 1st CD after this meeting.  Will give feedback to JTC1/TMB regarding the proposed alignment of all ISO 'management systems' standards on a common structure.  With a lot of work, the imposed structure and text has mostly been incorporated fine, with just a few areas of concern. ISO/IEC 27002 : we are still working through the 850-odd comments.  S...

Hello again from the ISO/IEC JTC 1/SC 27 meeting in Singapore. Today I have been involved in a session considering the ~800 comments received on the last working draft of the revised ISO/IEC 27002 (got that?!). The enormous number of comments reflects the breadth of interest in this standard, and the need to update it in various respects to catch up with differences in information security controls since the 2005 version.  That version was written about 7  to 8 years ago, so you can probably guess at some of the significant changes that we are considering. Aside from obvious examples such as cloud computing, we are also dealing with more general changes such as the continued move from IT security to information security, which means incorporating and/or explaining controls in a broader context than purely IT or communications technology, going beyond the traditional remit of the IT department.  Today so far we have been discussing changes to section 10 "Communications and...

I'm writing this report during the first day of the SC27 meeting in Singapore not as a detailed or formal report, rather as an informal, personal summary of events and news so far specifically in relation to the ISO/IEC 27000 family of standards (which are only part of the agenda for the meeting). Although the meeting has several parallel streams, I cannot be in more than one place at once, but chatting to SC27 colleagues who have attended other sessions can help fill-in the gaps to some extent. Furthermore, this is a dynamic and complex environment: things are changing as I write this sentence - literally. There are informal discussions ongoing in front of me concerning the scope and nature of a standard that we have just been discussing, and other parallel sessions are going on in other rooms. Anyway, with that background, it's time to spill the beans on day 1 so far. The revisions of ISO/IEC 27001 and 27002 have been the primary items of interest, mostly because of the la...

Here's a curiousity: a cloud computing vendor information security self-assessment scheme that appears to be supported by a bunch of security companies, rather than (as I would have anticipated) a bunch of cloud service vendors keen to tick all the boxes without having to put up with some frightful auditor poking around the place. I guess I'm feeling very cynical this evening.  The thought of vendors in an such a competitive and booming marketplace, stating their security status, even in 'an open and transparent manner', does't fill me with any more confidence than their extravagant marketing gloss. Maybe I have totally misinterpreted it?   What do you think?

An intriguing piece in Defense Systems indicates that the US Army is deploying a cloud based military intelligence system in Afghanistan: As the first tactical cloud operating in Afghanistan, the Army’s Distributed Common Ground System (DCGS-A) pools intelligence collected from the beginning of the war in Iraq up until today, aggregated from various databases for wider, faster and easier access and decision-making.  Army Col. Charles Wells, DCGS-A program manager, said the system is a paradigm shift.  “This is for better analysis and increased communications,” Wells said, noting that DCGS-A will leverage cloud computing to analyze all data, all the time.  “We’re trying to be a Google for intelligence,” said Army Maj. Philip Root, assistant program manager for the DCGS-A cloud. “One advantage of the cloud is that we can have advanced analytical tools, put it in the DCGS-A infrastructure and incorporate it very rapidly,” Root said. We can but hope they have compl...

The IEEE has launched a program to develop standards for interoperability of cloud computing .  The primary aim seems to be to permit portability of cloud apps between cloud platforms from different cloud vendors, but potentially there's much more at stake. Let's hope the standards will cover the information security elements as well - like for example how disparate cloud services should maintain secure communications channels and authenticate each other, as well as authenticating systems and users, passing authenticated user transactions among themselves, validating data ... actually when you think about it there are lots of security aspects to take into consideration, as anyone who has read this month's cloud security awareness module will appreciate.

Some managers claim to be wilting under compliance pressures, which is not surprising given the plethora of applicable laws and regulations, plus the contractual committments they and their colleagues have made.  Going back a stage or two, most of the laws, regulations and contractual clauses arose because self-regulation failed: some organizations and individuals did not behave responsibly, ethically and fairly, leading to the introduction of formal rules to bring them in line.  Unfortunately, the rules apply to all, including those who have performed responsibly, ethically and fairly.  Which is of course unfair. Going back another stage, organizations, individuals and industries had the chance to get their own act in gear without involving governments and regulators.  "The professions" have done exactly that for generations, with a range of self-regulation schemes that have, in the main, worked well in protecting the interests of the professionals, if not always th...