Posts

Showing posts from May, 2021

Stepping on the cracks

Image
Anyone seeking  information security standards or guidance is spoilt for choice e.g. : ISO27k - produced by a large international committee of subject matter experts and national representatives   NIST SP 800 series – well researched, well written, actively maintained ... and FREE! IT Grundschutz - a typically thorough Germanic approach, to the point of absurdity (4,800 pages!  It's encyclopaedic!)    CSA - cloud security guidance is their home turf COBIT - takes a deliberately different perspective on 'risk' and 'control'   Secure application development standards such as those from  OWASP   IT standards and methods as a whole : relevant because IT or cyber security is clearly a big part of information security   HR, physical security, privacy and business continuity standards and methods as a whole : filling-in the substantial gaps in IT or cyber security  Risk management standards , the best of which at least mention the im...

News on ISO/IEC 27002

Image
Today I’ve slogged my way through a stack of ~50 ISO/IEC JTC1/SC27 emails, updating a few ISO27001security.com pages here and there on ongoing standards activities. The most significant thing to report is that the project to revise the 3 rd  (2013) edition of ISO/IEC 27002 appears on-track to reach final draft stage soon and will hopefully be approved this year, then published soon after (during 2022, I guess).    The standard is being extensively restructured and updated, collating and addressing about 300 pages of comments from the national standards bodies at every stage.  The editorial team are doing an amazing job!   The new ‘27002 structure will have the controls divided into 4 broad categories or types i.e.  technical, physical, people and ‘organizational’ [=other]: For comparison, the standard is currently structured into 13 security domains: ‘27002 will nearly double in size, going from 90 to 160 pages or so, thanks to new controls and...