SC27 interim sit-rep

27001 ISMS for government use - comments agreed, Standing Document to be produced.

27001 ISMS defect concerning 'risks and opportunities' should have covered risks to the ISMS not to information security.  Issue was slopy-shouldered to 27005 revision project (then promptly rejected by them!). Decision to defer this to next planned revision of this standard.  

27002 security controls revision SP - challenging meeting. Plan to develop 2 versions of a template standard: (1) with the controls laid out in the front part in 4 categories with various 'views' of the controls appended according to the attributes; (2) with the views up front and the controls laid out in a catalogue as an annex. SP to be extended another 6 months, giving time for expert comments. [Meeting ongoing]

27005 information security risks - challenging meeting and robust discussion. 27005 scope changed again to support 27001 clauses on 'Risks and opportunities' plus 'risk assessment and treatment' only (not the rest of information risk management). [Meeting ongoing]

27007 ISMS auditing - all comments resolved.  Standard to go to FDIS next, plus a justification to extend the deadline by 6 months to allow finalization.

27008 technical auditing - comments resolved, some issues to be held over to next revision. All agreed.

27009 use cases SP - comments agreed, except for a problem with clause numbering using letters (falls foul of the ISO Directives).  Plan to issue a SD not an IS.

27011 telecomms security - simple defect reported, one subsection title to be corrected from 'Classification guideline' to 'Classification of information' to align with 27002.

27015 ISMS for financial services - 91% approval to withdraw, so that's it really.

27021 infosec management competencies - comments resolved, moves towards completion. All bar 1 vote turned to yes, hopefully will move to FDIS next. 

Cyber security/resilience - a robust discussion. Agreed to merge SPs and continue another 6 months as cybersecurity SP. New Call For Contributions to be prepared soon.

IEC liaison - waiting for/working on liaison statements. Published standard 62443-2-4 covers certification for IACS solution providers. 62443-2-1 is being revised, but alignment with ISO/IEC 27001 is problematic. It can still provide a useful catalogue of controls for a 27001 ISMS.

STRATUS project: NZ government+industry funded research project on cloud security, in conjunction with CSF and others. Research aims include data provenance, data protection, situational awareness and business continuity. See stratus.org.nz for more info. STRATUS wants to engage with, use and support SC27 activities through a 'category A' liaison.