ISO/IEC JTC1/SC27 meeting report 3 (updated)
Here's my unofficial progress update from Singapore, updated Thursday:
- ISO/IEC 27000: work has completed. 1st revision of 27000 will be based on the existing/current versions of 27001 and 27002 - a 2nd revision will pick up the revised versions of 27001 and 27002 in due course, plus ISO 27799. "Management system", "policy" and "stakeholder" terms from JTC1/TMB may cause problems for ISO27k (work in progress). Will put effort into collecting terms from other teams in a comprehensive and systematic way. Likely to go to 3rd WD after this meeting.
- ISO/IEC 27001: progressing well, likely to upgrade to 1st CD after this meeting. Will give feedback to JTC1/TMB regarding the proposed alignment of all ISO 'management systems' standards on a common structure. With a lot of work, the imposed structure and text has mostly been incorporated fine, with just a few areas of concern.
- ISO/IEC 27002: we are still working through the 850-odd comments. Section 10 is 'done'. Will continue the meeting until 10pm today, and again tomorrow morning. Structural changes are still being discussed. Discussions are generally positive. May progress to 1st CD after this meeting, but possibly another WD.
- ISO/IEC 27006: editing finished, comments resolved, standard successfully aligned with the new version of ISO 17021 under time pressure. Minor changes made - basically "should" has become "shall". The revised 27006 will go to DIS vote urgently after this meeting with final clearance for publication being sought at the next SC27 meeting in Kenya later this year, with publication in Jan/Feb 2012. The standard will then go into a normal, lengthier, systematic review process in parallel with the planned revision of 17021.
- ISO/IEC 27007: document is stable and agreed. However, the dependence on ISO 19011 is creating some problems for the editing group due to late revisions of 19011 (now at FDIS), particularly late structural changes and content changes around auditor competence. 27007 is likely to progress to FDIS soon.
- ISO/IEC 27008: edit meeting is tomorrow ...
- ISO/IEC 27010: currently at 1st CD. Edits finished. All tech comments addressed. Structural changes to be made to align with the current 27002. Will incorporate certain parts of the text from 27002 where needed for explanation and readability. Will go to DIS after this meeting.
- ISO/IEC 27011/X.1051: standard is still needed. Likely to be revised in a year or two (after 27002 is revised and stable).
- ISO/IEC 27013: in progress, technical comments done. Liaison with another committee is working. Project has fallen behind so pressure is on. Will go to CD after this meeting.
- ISO/IEC 27014: lively security governance discussions completed. Project has fallen behind so pressure is on. 2nd CD likely to be issued after this meeting, and DIS after next meeting.
- ISO/IEC 27015: over 100 pages of comments addressed. Lively sessions. Project has fallen behind so pressure is on. Extensive financial sector specific input has now been received and is being incorporated. ISO TC68/SC2 committee member will join the edit group soon. Will go to 3rd WD or CD after this meeting. Project may yet be terminated if the standard does not get sufficient support.
- ISO/IEC TR 27016: good progress, productive meeting. Will go to 2nd WD. Want more contributions. The standard's intended audience is the CISO or ISM to use in proposing investment in an ISMS to senior management.
- Cloud computing security and privacy: the study period is going well. It is likely to continue in some areas for a further 6 months and may then propose further parts. For starters, a 3-part standard will be proposed: (1) Requirements standard, (2) Controls guideline (a top priority for development bythe committee) and (3) Audit guidance. NWIP drafting meeting planned for Friday. Cloud Security Association editor likely to be invited if CSA liaison is agreed.
So far, so good!