Pragmatic ISMS implementation guide (FREE!)

Early this morning (very early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017.

Overall, the meeting was very productive in that we got through a long list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points.

In summary:
  • 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001, 27002 and 27005:

    • These changes are mostly minor aside from the new section 6.3 on ISMS changes.

    • The totally revised 27001 Annex A is of no consequence to 27003 since the infosec controls are already explained at length in 27002. 

    • Although these 27003 changes could be addressed by a relatively quick amendment to the current standard, there are several small changes scattered throughout so apparently that idea is a non-starter. Allegedly.
       
  • The new version will adopt ISO's version of plain English:

    • This involves extensive wording changes throughout the standard.

    • It also means a lot of work for the committee to distinguish simple editorial or stylistic changes from deliberate or unintentional technical changes that alter the meaning, deciding whether to accept or reject those changes.

    • It may be tough on non-native-English speakers to appreciate the nuances of 'plain English' ... and to be fair, some of us natives may struggle too!
        
  • It will be more carefully worded than the current version in accordance with ISO directives concerning semantics (e.g. generally avoiding 'should' and 'may'), studiously avoiding any hint that it adds or modifies the formal requirements of 27001 in any way.

  • It may include 'tasters' for related standards such as 27004 and 27005 with clear references, but will not attempt to summarize or substantially incorporate the content, avoiding duplication and potential coordination issues down the track when the individual standards are updated.

  • It may retain the current structure addressing each of the clauses/subclauses of 27003 in sequence, explaining the standard's formal language and offering implementation guidance (hopefully anyway: the possibility of cutting out the guidance to give implementers complete freedom was discussed but not agreed).
However, given that doing all of that will substantially delay release of the revised standard, I have unilaterally decided to release our Pragmatic ISMS implementation guideline in the meanwhile as a stop-gap for implementers. This is a plain English guide to help implementers understand what implementing ISO/IEC 27001:2022 means in practice. 

Here's a sampler ...




It may bear some resemblance to the version of 27003 that gets issued in a few years' time (!) but it is most certainly unofficial, not sanctioned or reviewed by anyone from ISO/IEC. It's just an informal guide to tide people over until the proper one is done. Take it or leave it.

Your feedback is very welcome, particularly corrections and improvement suggestions ... which in turn might find their way back to SC 27's 27003 revision project if applicable.