In the course of catching up with a long backlog of ISO/IEC JTC 1/SC 27 emails and updating ISO27001security.com, I discovered that the third edition of ISO/IEC 27000 has just been released.
Like its predecessors, ISO/IEC 27000:2014 can be downloaded legitimately free of charge through the ITTF site.
The idea of '27000 being free is to encourage the adoption of a common glossary of information security terms, and to gain an appreciation of the ISO27k standards outlined within it. It's a shame the other ISO27k standards aren't also free as I'm sure it would markedly increase their adoption as with the excellent SP800-series security standards from NIST, but unfortunately I don't determine the pricing policies for ISO/IEC.
Although I haven't even finished reading the new edition and updating the site, I noticed already that the new version no longer defines the terms "asset" and "information asset". I suspect this was done in order to draw to a close the lengthy but rather unedifying SC27 discussions (OK, arguments!) around those contentious terms. Unfortunately, that does rather leave things up in the air. Does “information asset” mean the intangible information content, the tangible storage media, both, or something else? The distinction could be quite important in the context of various ISO27k standards, but I guess organizations using the standards will have to figure out the answers for themselves if the terms are used but not explicitly defined in those standards.
No comments:
Post a Comment
The floor is yours ...