Hover your mouse cursor over the and icons throughout the site to see when recent updates were made. We normally remove the icons after about a month so please revisit every month or check the sequence of website changes listed below to see what you’ve missed:

• May 2008: altered the page layouts. The design is still not quite right but will just have to do for now. Substantially updated the ISO/IEC 27033 page with information on the existing ISO/IEC 18028 standard from which 27033 will be derived. Added ISO 38500 IT governance standard to the other standards page. Summarized and commented on the FDIS of ISO 27799.
• April 2008: created a separate page for the ISO27k Toolkit, moving the contents over from the white papers page. Added an ISMS high-level policy and scope examples to the toolkit. Noted the draft ISO 31000 and 31010 risk management standards plus Guide 73 under other standards. Added “DIS” to the ISO/IEC acronyms listed in the FAQ. Linked to 2 new NIST SP800 drafts. Updated numerous ISO27k pages and added new pages for ISO/IEC TR 27008 and ISO/IEC 27010 following the SC27 meeting in Kyoto this month Also updated the other ISO27k standards page with preliminary information on proposed work items. By the end of April, 4489 organizations were certified against 27001.

• March 2008: published release 1 of our ISMS Audit Guideline. Moved and extended information on the ISO27k Implementers’ Forum from the FAQ to a dedicated page. Added notes about the study group looking into a new standard for ISMS technical audits, and ISACA’s exposure draft guideline. Expanded the FAQ item on ISO/IEC acronyms and committee names. Outlined the new ICT DR standard ISO/IEC 24762 to the other standards page, with a link from ISO/IEC 27031. Expanded the ISO/IEC 27005 page with an outline of risk analysis methods worth considering. Linked to the California State guidance on implementing ISO/IEC 27002. Reviewed an incident management book from BSI.
• February 2008: published our infosec glossary. Increased the page width across the entire site to make better use of typical LCD screen sizes. Fixed a handful of broken links. Invited visitors to get involved in the project working to develop ISMS audit guidelines. Tidied up some links.
• January 2008: expanded advice on security policies and sorted the list of risk analysis methods in the ISO27k FAQ. Published a pair of papers: a case study and business case for ISO27k. Updated the pages on ISO/IEC 27031, 27032 and 27034.
• December 2007: uploaded examples of information security metrics aligned with ISO/IEC 27002 from an ISACA workshop. Linked to an ISO survey (thanks Javed). Fixed a handful of broken links. Noted good progress on ISO/IEC 27000. 4,140 organizations were 27001 certified by the start of December 2007. Clarified the SoA and RTP descriptions in the ISMS implementation process outlined in the FAQ. Uploaded a white paper listing the top information security threats, vulnerabilities and impacts, along with risk scenarios and suggested controls.
• November 2007: added Microsoft’s security risk management guide to the list of risk analysis methods referenced in the ISO27k FAQ (thanks Javier). Also referenced NIST SP 800-39. Updated the status of standards up to ISO/IEC 27011. Updated the ISMS documents checklist. Uploaded a laptop security policy sample. Minor updates on most of the ISO27k standards pages following feedback from the JTC1/SC27 meeting in Lucerne last month. Published a Spanish version of the ISO/IEC 27002 implementation guidance and metrics paper, along with an updated English version with fixed hyperlinks, and BS 25999-2 has been released (thanks again Javier). Added a bunch of links.
• October 2007: published an infosec risk analysis spreadsheet, a router security checklist aligned with ISO27k and a revised information asset inventory doc. We’ve heard that part 2 of the business continuity standard BS 25999 is due to be published early in November (thanks Rob). Added more standards and info to the other standards page, drawing on an excellent summary of security standards in the APEC-TEL handbook. Published a risk register template (thanks Madhukar).
• September 2007: updated the ISO/IEC 27000 page to reflect the current status of this document (i.e. the second Committee Draft). Similarly for ISO/IEC 27005 (second Final Committee Draft). Added a question and answer about getting hold of and contributing to draft standards to the FAQ. Added a page for our growing collection of ISO27k white papers, including a new generic checklist of ISMS documents. Started adding sample ISMS documents too. Updated the ISO/IEC 27033 page a little. Uploaded an annotated presentation on infosec frameworks (thanks Rob). Published a Visio version of the Corrective Action Procedure, then an example ISMS internal audit procedure (thanks Richard) and a document outlining a typical information security management function and key roles. Added a brief note to ISO/IEC 27000 (this one will probably be free of charge!) and 27011 (progressing relatively quickly). The ISO/IEC 27001 certificate count passed 4,000 (4,036 in fact) by the end of September.
• August 2007: clarified history by retracing the origins of ISO/IEC 27002. Made page titles a bit more descriptive. Noted BSI DISC PD003, ISO27k’s progenitor, and a rumoured predecessor from NCC. Published a graph showing growth in ISO/IEC 27001 certificates issued over the last two years. Updated the other standards page with more information on ISO 9000 and PCI DSS. Added info on ISO/IEC 18028. Added more info on accredited ISMS certification bodies to the FAQ. Some 3,879 organizations have been ’27001 certified by the end of August.
• July 2007: noted ISO 31000 (draft) guidance on risk management in the FAQ. Revised the site map to describe each page in a few words or less. Started spartan pages for ISO/IEC 27032 and ISO/IEC 27034. Published ISO/IEC’s confirmation of the name change for ISO/IEC 17799:2005 becoming 27002:2005, and a press release on the same subject. It has been proposed that ISO/IEC 18028 be renamed ISO/IEC 27033. The telecomms implementation guide will be ISO/IEC 27011. Noted BSI’s release of BS25999-2 in draft for comments this month. The number of ISO/IEC 27001-certified organizations reached 3,781 at the end of July.
• June 2007: updated the FAQ with advice on creating an inventory of information assets based on a contribution to the forum by FF Ramos (thanks Fabio!). Updated references from ISO/IEC 17799 to ISO/IEC 27002 following the renaming by ISO/IEC. ISO/IEC 27001 certifications passed 3,600 in May. Added a link to Proteus Enterprise security risk management software to the FAQ. Added a little to the explanation of ISO/IEC JTC1 SC27 in the FAQ. Noted that ISO/IEC 27031 is to be a business continuity standard, not telecomms implementation guidance (we don’t now know what the latter standard’s number will be). Added a link to NFPA 1600 emergency management and BCP standard on other standards. Having been (rightly) pulled up elsewhere for not using the full names, added the IEC part to many of the ISO/IEC standards listed on this site. Published version 1 of the ISO/IEC 27001/2 implementation guidance and metrics paper.
• May 2007: ISO/IEC 27006 was published by ISO/IEC in Feb (don’t know how I missed it). ISO/IEC 27001 certifications have passed 3,500 and the ISO27k Implementers’ Forum has over 500 members. Added a link to a useful ISO27k implementation guide/manual from Australia.
• April 2007: added a disclaimer regarding our (non-)relationship to ISO/IEC. Updated information on X.1051 / ISO/IEC 27011 (thanks Benjamin). Published a flow chart diagram of a generic ISO/IEC 27001/2 implementation and certification process, and some more detailed explanation in the FAQ. Updated the risk analysis FAQ section to mention the Australia/New Zealand risk management standard 4360. Like expectant parents, we’re anxiously awaiting official news of the renaming of ISO/IEC 17799 to ISO/IEC 27002 ...
• March 2007: made a couple of updates to the FAQ including an outline of ISO/IEC committee JTC1/SC27’s 5 working groups and a section on risk analysis. Set up separate pages for ISO/IEC 27031, the telecomms industry ISO/IEC 27002 implementation guidance, and ISO 27799, the health industry’s equivalent. Uploaded a mind map summarizing ISO/IEC 27002. The Xisec ISMS International User Group site is evidently being redeveloped so we’ve suspended the link for now at least.
• February 2007: it turns out that ISO/IEC 27007 is the number for a proposed ISMS auditing guideline, not a DCP standard as we originally guessed (sorry!). ISO/IEC 17799 is due to become ISO/IEC 27002 this April. Made a slight update to the description of risk management standard ISO/IEC 27005, thanks a presentation to ISACA by Peter Weiss. Noted ISO 27799, a healthcare industry implementation guide for ISO/IEC 27002 (in preparation). The count of ISO/IEC 27001 certified organizations has passed 3,300. The ITU has revised its ISO/IEC 17799 implementation guidelines.
• January 2007: fixed a few broken links. For the record, 3,246 organizations were certified ISO/IEC 27001 compliant at the start of 2007. ANSI is selling PDFs of ISO/IEC 27001 and ISO/IEC 27002 for just US$30 each! Linked to a useful ITCi cross-reference matrix. Removed reference to the BSI booklets by Ted Humphreys as they are nowhere to be seen on BSI-Global  :-(  Referenced a hard disk encryption standard in preparation: IEEE 1619.
• December 2006: continued building the FAQ with more advice on starting an ISO/IEC 27001/2 implementation. More questions and (especially) more answers are always welcome. Corrected our office address. Fixed various broken links. Added ITU to the other standards page with a note about X.1051.
• November 2006: NIST has released the final version of Special Publication SP 800-100, their information security handbook. Corrected links to the register of ISO/IEC 27001 certificates. Added a Q&A about getting started on ISO/IEC 27001 implementation to the FAQ.
• October 2006: revised the description of ISO 27006 which it turns out will not be a disaster recovery standard but will offer guidance to accredited ISMS certification bodies (thanks for the update Javier). Updated the other ISO 27000-series pages with information from SC27. Revised the privacy policy since we are not using other CISSPs to administer the forum after all. Linked to a Canadian ISO 17799 user group meeting in Toronto. Tweaked site design and added a simple logo (any graphic artists reading this who can do better are invited to contribute!). Referenced PAS77, a new IT service continuity management standard, and BS 25999-1 that will soon replace PAS56. Finally got around to referencing two guidebooks on ISO 27001 published last year by BSI. ISO 27001 certifications have now passed the 3,000 mark! Updated the NIST Special Publications list.
• September 2006: tidied-up the index on the ISO/IEC 27002 page.  Referenced records management standard ISO 15489 and sorted the ISO standards on the other standards page.
• August 2006: answered another FAQ re what happens during the certification process itself. Redesigned the home page.
• July 2006: announced the release of ISO 18043 covering IDS. Set up the discussion forum (email reflector, newsgroup) on Google Groups for those with a professional interest in implementing the standards. Extensively revised the FAQ and links pages to list many more sources of information and guidance on ISO/IEC 27001/2. Added a graphical site map. Published a privacy policy. Outlined certification and accreditation in the FAQ (twice). Noted NIST/NSA/DISA’s invaluable STIGs on the other standards page. Caved in and published some guideline prices for standards in the FAQ. Added a page of book reviews. Added some more NIST Special Publications under other standards and quick links to navigate the same page. ISO/IEC 27004 is in circulation as a Working Draft.
• June 2006: provided more information re ISO TR 18044 on security incident management. Added ‘quick links’ contents list to the FAQ. Updated links to BSI metrics booklets.
• May 2006: linked to the Australian Government Information and Communications Technology Security Manual. Updated the other standards page re NIST Special Publications and referenced a new BSI security metrics booklet on the links page.
• April 2006: NIST FIPS 200 has been released (listed on the other standards page). Linked to an ISACA paper about the things to do post-certification. Added links to ISM³ and NIST SP 800-55 on the other standards page. Minor updates to ISO 27000, 27001, 27002, 27005 and 27006 pages following a BSI presentation to ISSA.
• March 2006: updated the ISO/IEC 27002 / ISO/IEC 17799 / BS 7799 page to outline the content of the 2005 version. I do hope ISO will stick to a consistent name. Also updated the ISO/IEC 27006 page with a bit more info on SS507, the Singaporean standard for DR service providers, and an outline of the proposed ISO standard (thanks again Catalin!). Updated the ISO/IEC 27003 page with preliminary information on the implementation guide structure. Updated the ISO/IEC 27005 page to note the (delayed) release this month of BS 7799-3:2006. Added the Global Security Week logo to the front page (are you planning your involvement?). Linked to the excellent www.ISO27000.es for Spanish-speaking information security professionals.
• February 2006: corrected NIST’s full name on the other standards page (thanks Jim). Answered a FAQ about keeping up with ISO27k news. Referenced a paper by Rebecca Herold. Noted delayed release of BS 7799-3. Updated info on ISO/IEC 27005 and ISO/IEC 27006, and noted use of TR 13335-3 and -4 for the former, and SS507 for the latter (thanks Catalin!).
• January 2006: referenced PAS56 in other standards. The number of BS 7799 Part 2 / ISO/IEC 27001 certified organizations passed 2,000 around Christmas 2005!
• December 2005: ISO 20000 (ITIL) and COBIT v4 were released this month - see the other standards page for links to more information. These are important standards supplementing the ISO27k series.
• October 2005: ISO/IEC 27001 has been released a month earlier than we expected and refers to ISO/IEC 17799:2005 - various pages updated accordingly. Added an initial information page on ISO/IEC 27006, and a guide to ISO’s acronyms for standards passing through the process to the FAQ (thanks Guy Coulleit).
• September 2005: added links on the other standards page to a whole bunch of NIST standards and the ISF Standard of Good Practice.
• August 2005: hot news: BS 7799 part 2 certifications have passed 1,700! Added some information on BS 7799 part 3 which is expected to become ISO/IEC 27005. Updated pages on BS 7799 part 2 (ISO/IEC 27001) and ISO/IEC 17799 (ISO/IEC 27002). Added “site last updated” field to the home page. Centered all pages.
• July 2005: the FDIS draft of ISO/IEC 27001 was released. ISO/IEC 27000, 27003 and 27005 pages were updated (thanks for the information Steve).
• June 2005: mentioned the release of the new 2005 version of ISO/IEC 17799. Noted Systems Security Engineering - Capability Maturity Model under other standards. Restructured site more logically and added breadcrumb trails and page descriptions. Published initial information about ISO/IEC 27003.
• May 2005: domain registered, website built. Changes will be frequent, especially whilst the website is knocked into shape. Call back often!

Live on the edge or bookmark and revisit this page from time to time to keep up with developments in the exciting and dynamic world of ISO27k.