ISO 27000 series – What to expect in 2013?
Believe it or not, there are more than 30 standards in the ISO 27k series. And, to make things worse, they are constantly changing because information security theory and best practice are continuously evolving.
Here’s what will probably happen in 2013:
ISO/IEC 27001 – Since this is the main standard in the ISO27k series, its revision is expected with high excitement. It was published in what is, for this area, a very distant 2005, so the changes are certainly not going to be minor. The largest change (besides the controls from Annex A – for those see ISO 27002 below) will be in the structure of the standard – according to ISO directives Annex SL (previously called Draft Guide 83), the structure of every management standard will have to be aligned, so the same destiny is intended for the new revision of ISO 27001 as well. Such changes are best visible in ISO 22301, the new business continuity standard, which was the first one to be compliant with Guide 83 – click here to see the structure of ISO 22301.
The date for publishing of ISO 27001 hasn’t been set yet, but it could be somewhere in second half of 2013.
ISO/IEC 27002 – The revision of this standard will be published together with ISO 27001 because, as you probably know, it gives guidelines for implementation of controls from ISO 27001 Annex A – therefore, these two standards need to be aligned completely. See here what is expected to change: ISO 27002 – What will the next revision bring?
ISO/IEC 27004 – This is the standard that defines information security metrics; in other words – how to measure information security in an organization. It was initially published in 2009, and it will be in the revision process during 2013. It is, however, not likely that new revision will be published in 2013.
ISO/IEC 27006 – This standard defines the requirements for certification bodies that provide the auditing services. Since other auditing standards (ISO 19011 and ISO/IEC 17021) are currently being revised, it is expected that the revised version of ISO 27006 will be published in 2013 or 2014.
ISO/IEC 27011 is the standard that provides guidelines for information security management in telecoms – since it relies heavily on ISO 27002, it will be revised once the new version of ISO 27002 is published. It may happen in 2013, but more likely in 2014.
ISO/IEC 27014 defines the governance of information security; since this standard is – at the time of writing this article – in FDIS status, it is expected to be published in the first half of 2013.
ISO/IEC TR 27016 is the standard that defines organizational economics for information security management. Since this standard is still in the draft version, it is theoretically possible that it will be published in 2013; however, 2014 is much more realistic as a publishing year.
ISO/IEC 27017 is the standard that will define a very hot area: security in cloud computing. Since it will depend heavily on revised ISO 27001 and ISO 27002, at best it will be published at the end of 2013 or the first half of 2014.
ISO/IEC 27018 is the standard that will provide code of practice for data protection controls for public cloud computing services – similar to ISO 27017, this standard will wait until ISO 27002 is published. Let’s hope we’ll see it in 2013, or some time shortly after that.
ISO/IEC TR 27019 is the standard that focuses on information security management guidelines for the energy industry. Since it is based on ISO 27002, it is not expected to be published until the end of 2013 or in 2014.
ISO/IEC 27033-5 is still in the draft phase, and defines how to use secure communications using Virtual Private Network (VPNs). Its publication is expected near the end of 2013.
ISO/IEC 27036 is still in the draft phase, too, and it specifies how to regulate information security in supplier relationships. This standard will be published in four or five parts, three of which could be published during 2013 or early 2014.
ISO/IEC 27040 defines another very interesting area: storage security. It is scheduled to be published in 2013, but may be pushed to 2014.
As you can see, many standards are to be published soon, or at least are going to be revised. Who says information security is a boring business?