ISO 27000 & BS7799-3: STANDARD IN TRANSITION

mad

________________________\r\n\r\nTHE ISO 17799 NEWSLETTER\r\n________________________\r\n\r\nWelcome to the eleventh issue of ISO 17799 News, designed to keep you abreast of news and developments with respect to ISO17799 and information security. \r\n\r\nThis edition is an \'Interview Special\', in that we have started what will be an occasional series of exclusive interviews with prime movers and influencers within the 17799 arena. These will hopefully provide a much better insight into the standard in terms of its development, its implementation, and its future.\r\n\r\n \r\n1) A STANDARD IN TRANSITION\r\n===========================\r\n\r\nMany people have questioned recent changes and proposed changes, with respect to both ISO 17799 and BS7799. With so much happening in a relatively short period, it was perhaps inevitable that confusion would arise. Hopefully, we can clarify this and explain how events are likely to unfold.\r\n\r\nEssentially we had an \'upgrade\' to ISO 17799 in June of this year. This has been published and is now current. This event was part of the normal sequence of events for standards, which do not tend to be static indefinitely. \r\n\r\nPerhaps the bigger changes, conceptually, are in the future. These are framed by the intention of re-numbering the standards so that they are sequentially aligned. ISO has set aside the numbers from ISO 27000 to support this. These are now specifically reserved for information security standards.\r\n\r\nThe current intention is as follows:\r\n\r\nISO 27001 \r\nThis will be the number given to the revision of the current BS7799-2 standard. This is the requirements document for an information security management system (ISMS). The current state of play is that the final draft has been available for comment for some time, and can indeed be purchased. The final published version is expected later in the year. \r\n\r\nISO 27002\r\nThis number is actually earmarked for ISO 17799 itself (ie: Security Techniques - The code of practice for information security management). At some point in the future, possibly with a revision, 17799 will become 27002. This change is not imminent.\r\n\r\nISO 27003\r\nThis is set aside for a new standard/document covering risk management.\r\n\r\nISO 27004\r\nThis number will be assigned to a standard covering Information Security Management Metrics and Measurements (how, what and when to measure ISMS processes and controls). It is not expected until 2007 at the earliest.\r\n\r\nISO 27005\r\nThis is likely to provide implementation guidelines, with a potential publication date of mid 2007. \r\n\r\nAs part of the overall process, a BS7799-3 standard is being developed, and has a planned publication date of the very end of this year, or early next year. It is expected that this will evolve into the above ISO 27005. \r\n\r\nFw from 17799 news.