This Website is updated frequently, several times a month, mostly reflecting the enormous amount of work going on behind the scenes to develop the ISO27k standards.  Hover your mouse cursor over the and icons throughout the site to see when the most recent updates were made.  Please revisit periodically or check the history of changes below to avoid missing out on anything important:

• May 2013: infosec governance standard ISO/IEC 27014 published.
• March 2013: the ISO27k Forum now has over 2,600 members.  Updated scopes and titles for some of the WGs under SC27 in the FAQ.  Status updates to 27033, 27036, 27038.  Added a page rank doo-dah.
• February 2013: minor status update to ISO/IEC 27040 on storage security.
• January 2013: the second edition of ISO/IEC 27000 was published at the end of 2012.  Added more goodies to the ISO27k Toolkit version 5.2 including another gap analysis spreadsheet (thanks to Sekar T).
• December 2012: ISO/IEC TR 27015 published for the financial services industry.  Spanish version of the process diagrams (thanks White Hat Consultores) and an information asset inventory (thanks Steve McColl) added to the ISO27k Toolkit page (but not yet the Toolkit ZIP file - there’s more to come).
• November 2012: housekeeping on external links.  Please would someone stop the Internet changing while we catch up?  Status updates to ISO/IEC 27014 (security governance), 27038 (digital redaction).  Thoroughly revised the generic ISO27k ISMS business case template.  Split the ISO27k FAQ into separate child pages (fixing the links we broke is a work in progress!).
• October 2012: put a link in the FAQ to a project estimator tool.  Updated various items in the ISO27k Toolkit and added a few more, including a new model security policy on email and peer-to-peer messaging (thanks to various contributors). ISO/IEC 27013 (combining ISMS+ITIL) and 27037 (collection of digital evidence) issued.
• August 2012: new Q&A in the FAQ concerning changes to a certified ISMS. ISO/IEC 27032 on “cybersecurity” (Internet security) and ISO/IEC 27033-2 on network security have been published.  Status updates on 27001, 27002, 27013, 27016, 27017, 27033, 27034, 27035, 27036, 27037, 27039, 27040, 27041, 27042 and 27043.  New fast-track standard ISO/IEC TR 27019 being prepared on process control security for the energy sector.  ISO27k timeline version 1.  Reviewed Calder & Watkin’s IT Governance book.  Updated the FAQ concerning studying to become qualified in this field.
• July 2012: further status updates to ISO/IEC 27004 (metrics), 27015 (ISMS in financial services), 27018 (privacy in public clouds).  BCMS specification/certification standard ISO 22301 released.  Server rebuilt following hack (yes, we too face infosec risks and fall back on incident management procedures and business continuity arrangements when our preventive controls prove inadequate!).
• June 2012: a trickle of status updates made as editors complete changes agreed at the SC27 meeting in Stockholm and release updated versions to SC27.
• May 2012: several more status updates following the SC27 meeting in Stockholm.  The cloud security standards are very confusing at present.
• April 2012: ISO/IEC 27010 published.  New FAQ on management-level security awareness & engagement.  Updated the site stats for our sponsors.  Tidied up the status of the ISO27k standards: expect further updates following the SC27 meeting in Stockholm.  ISO/IEC 27038 (digital document redaction) reached CD stage.  ISO/IEC 27033-2 (network security) should soon be published.  ISO/IEC 27013 (combined implementation of ISO20k+ISO27k) nears FDIS.  Status updates to 27001, 27014, 27033-5 and 27034-5.
• March 2012: reviewed Asset Protection through Security Awareness book.  Added compliance FAQs to the ISO27k FAQ.
• January 2012: added an apposite Bob Ralph quote to the ISO27k FAQ (thanks Bob!).  Answered What are residual risks? in the FAQ and updated the metrics Q&A.  Status updates to ISO/IEC 27001, 27002, 27017, 27033-2 & 27033-4.
• December 2011: updated a couple of ISO standards listed under other standards (thanks Colin).  The ISO/IEC 27035 page is being sponsored by QCC (cheers guys).  ISO/IEC 27006 updated to reflect the update of ISO 17021.  Added an FAQ on auditor-auditee disputes.
• November 2011: further status updates including publication of ISO/IEC TR 27008, 27006 (fast track revision, due out soon), 27007 (due out soon), 27010, 27013 (nearing finalization), 27014 (moving along), and 27001 (concerns over alignment with other MS standards).  Five new ISO27k standards are in development: ISO/IEC 27017 and 27018 (cloud computing) plus 27041, 27042 and 27043 (digital evidence).   Study period on Personal Information Management System.  ISO/IEC 27007 and 27034-1 published.
• October 2011: status updates from the Nairobi, Kenya meeting of JTC1/SC27 to ISO/IEC 27000, 27001, 27002 ...
• September 2011: added to the ISO27k Toolkit a form for data restoration details (thanks Vladimir).  ISO/IEC 27010 status updated - FCD approved.  The ISO27k Forum now has just over 2,300 members.  Linked to the ITU ICT security standards roadmap from the other standards page (thanks Tim).
• August 2011: updated WD of ISO/IEC 27038 on redaction of digital documents released to SC27.  Added an FAQ about requirements when building a Policy Management System, courtesy of Michael Rasmussen (fantastic!  Thanks Michael).  ISO/IEC 27035 on incident management released. 
• July 2011: the slew of new and updated drafts following the previous SC27 meeting continues.  New releases to SC27 this month are: 1^st WDs of ISO/IEC 27036-2 (generic information security requirements for supplier relationships), ISO/IEC 27036-3 (ICT supply chain risk management) and ISO/IEC 27039 (intrusion detection and prevention systems).  Status update on the proposed cloud computing project.
• June 2011: lots of updated drafts released to SC27 following the Singapore meeting: 2^nd CD of ISO/IEC 27014 (information security governance); FCD of ISO/IEC 27033-2 (network security); 2^nd CD of ISO/IEC 27037 (digital evidence); WD of ISO/IEC 27033-5 (VPNs) and ISO/IEC 27033-4 (firewalls); 1^st WD of ISO/IEC 27036-1 (outsourcing - note part 5 may become the cloud security standard); 1^st WD of ISO/IEC 27040 (storage security).  ISMS gap analysis and SoA spreadsheet added to the ISO27k Toolkit.  Linked to Dejan’s ROSI calculator.  ISO/IEC 27034-1 has reached FDIS.  FAQ updated re selecting certification bodies.  Linked to a paper on the value of ISO27k by Ted Humphreys.  The number of 27001 certificates approached 7300.
• May 2011: reviewed ISO/IEC 27001 for SMEs.  ’27001 certificates passed 7200.  Added a Q&A about other professional groups and forums, thanks to a helpful suggestion from Phil Palmer (thanks Phil!).  ISO/IEC 27013 1^st CD released.  ISO/IEC 27005:2011 published.  ISO/IEC 27032 FCD released.
• April 2011: reviewed Ted Humphreys’ ISO27k book Information Security Risk Management.  Introduced BITS Shared Assessments to the other standards page.  Updated numerous ISO27k pages following the SC27 meeting in Singapore.  Added a new page for ISO/IEC 27016 on the economics of information security.  Gave an update on the study period for the security aspects of cloud computing.  Added a new Q&A on creating security culture.
• March 2011: updated the page for ISO/IEC 27036: we’re looking for further input on the risks and controls associated with outsourcing information services.  Trimmed down the long list of risk management products in the FAQ, leaving just those that are free or whose vendors support this website.  Referenced SD6, SC27’s detailed glossary in the list of standards.  ISO/IEC 27005 (2^nd edition) FDIS is out.  Updated more of the other standards.  ISO/IEC 27031 published.  Corrected the titles of a few ISO27k standards.  Added a generic risk list to the ISO/IEC 27010 page.
• February 2011: launched an eShop selling branded merchandise for ISO27k lovers to help cover the costs of running this website and the associated ISO27k Forum.  Added an FAQ about exceptions and exemptions, and another about how to conduct ISMS audits.  ISO/IEC 27034-1 FCD revised.  ISO/IEC 27036-1 WD1 released.  New SC27 project approved on storage security. 
• January 2011: over 7,000 ISO/IEC 27001 certificates have been issued.  ITU-T has proposed two further parts to the telecoms industry ISMS standard ISO/IEC 27011 also known as X.1051.  Updated the website visitor feedback and launched our first poll.  Made the ISO27k Forum world-readable, by popular demand.  A new ISO27k standard on digital redaction has just left the starting blocks.  Reviewed Information Security Governance book.  Added SAS70 and SSAE156 (which sounds like a motor oil) to the other standards page.  Answered an FAQ on common ISO27k ISMS implementation issues.  ISO/IEC 27015 title changed. ISO/IEC 27037 reached 1^st CD.  ISO/IEC 27035 at FDIS.
• December 2010: status updates on ISO/IEC 27001 and ’27002 pages.  Minor FAQ updates and a new PDF version of the FAQ released.  Updated the ISO27k Toolkit to version 4.1 with a few new documents and minor tweaks here and there.  ISO/IEC 27007 and ’27031 are not going to be published before the end of this year but will hopefully see the light of day during 2011.
• November 2010: minor status update to ISO/IEC 27007 page.  Reviewed a book on information security management metrics.
• October 2010: at the meeting in Berlin, SC27 worked through some 300 pages of comments on ISO/IEC 27002, as well as discussing all the other ISO27k standards currently under development.  Published status updates on ISO/IEC 27032 and 27033-2.  Started checking and correcting off-site links: this will take a while to complete!  Meanwhile, please let us know about any broken hyperlinks, or suggest additional relevant links.  Added an overview presentation on implementing and certifying an ISMS to the Toolkit, thanks to Marty Carter.
• September 2010: published a French version of the ISO27k ISMS implementation and certification process diagram (merci cher Chistophe Bregeras pour le traduction!).  PCI DSS v2 is due out at the end of next month (major users can see it already).  Added an example ISMS implementation project plan in MS Project to the ISO27k Toolkit, thanks to Marty Carter.  Referenced an information security guideline from the government of New South Wales.  Minor updates to a few of the ISO27k draft standards showing progress.  Thanks again to Marty Carter, provided a ‘controls cross check’ spreadsheet to classify ISO/IEC 27002 controls.  ISO/IEC 27001 is to be aligned with other management systems ISO standards.  The FCD of ISO/IEC 27034-1 on application security received a mixed response from SC27.
• August 2010: updated the Mehari description in the ISO27k FAQ.  Added a note to the ISO27k Forum etiquette page about Out-Of-Office emails.  Noted the NIST infosec glossary under other standards.  Referenced some useful threat catalogs in the FAQ, and added the BITS spreadsheet to the list of risk analysis methods.  I’ve just discovered that network security standard ISO/IEC 27033-1 was in fact published at the end of 2009 - how did I miss this?  Released a PDF version of the ISO27k FAQ designed for easier printing and offline browsing.  ISO/IEC 27031 on the IT parts of business continuity has reached FDIS stage and should hit the streets in 2010.
• July 2010: the ISO27k Forum welcomed its 2,000^th member.  Updated the forum tips re providing the context when posing questions.  The number of ISO/IEC 27001 certificates has passed 6,500.  Added more visitor feedback from our survey.
• June 2010: added an FAQ&A about the differences between audit and risk assessment.  Launched an ISO27k Forum project to identify and address information security risk and control issues that are relatively weak or, in some cases, completely missing from ISO/IEC 27002.
• May 2010: this website reached its fifth birthday!  Updated the following pages with information from the SC27 meeting in Malaysia at the end of April: ISO/IEC 27000, 27001, 27002, 27005, 27006, 27008, 27010, 27014, 27037 and other ISO27k standards.  Provided website visitor and page statistics for our commercial advertisers and sponsors.  Expanded the FAQ section on LA and LI qualifications and more CMS/DMS options.  The number of ISO27001 certificates issued passed 6,400 this month.
• April 2010: fixed all the broken links on the ISO27k Toolkit page [raspberries to NetObjects Fusion for yet again breaking them].  Minor status update re the network security standard ISO/IEC 27033-3.  ISO/IEC 27001 may need a restructure to align all the management standards.  Minor status updates to various ISO27k pages including 27000, 27005, 27008, 27013 and 27014, based on info released for the forthcoming SC27 meeting in Malaysia next month.  Updated ISO/IEC 27031 following the “pass” vote on the FCD.  ISO/IEC 31010 on risk assessment has been published.  Added the Verinice ISMS support tool to the FAQ.  Updated the visitor feedback piechart and comments.  ISO27001 certificates passed 6,300 last month.
• March 2010: ISO27k Toolkit updated to version 3.9 with an awareness presentation (and we subsequently fixed some broken hyperlinks in the overview document).  The ISO27k Forum now has 1,900 members!  Added a snippet of news on ISO/IEC 27007.  Published a more detailed review of the ITIL v3 security book.  Published a Croatian version of the ISO27k implementation and certification process overview diagram, thanks to Juraj Ljubesic, and a Polish version thanks to Robert Plawiak.
• February 2010: new Q&A about preparing for recertification audits.  Added yet more risk management products to the FAQ.  ISO/IEC 27003 has been published.
• January 2010: re-sequenced the ISO27k FAQ a bit more logically.  Added yet more products to the bottomless pit of ISMS support tools in the FAQ.  Answered FAQs about compliance obligations and scoping the ISMS.  Started accepting commercial sponsorship and advertisements to help cover our mounting costs - modified the contact us, disclaimer and privacy policy pages accordingly.  Updated info drawing on the Committee Drafts of ISO/IEC 27032 (cybersecurity) and ISO/IEC 27034 (application security).  Added ISO 19011 to the other standards page.  Not sure how I missed it.  Note on 27005 about fast-track update.  Added info about the IT Grundschutz IT baseline protection manual from Germany to the other standards page.  Removed free links to product vendors from the ISO27k FAQ: however vendors are very welcome to sponsor a link and help support this website!
• December 2009: further updates to various ISO27k pages following the SC27 meeting last month.  The number of 27001 certificates has passed 5,900, and the ISO27k Forum now has over 1,800 members.  ISO/IEC 27004 on metrics has been published.  Answered an FAQ about how many man-years it takes to implement an ISMS.  Published a document mapping PCI-DSS controls to ISO/IEC 27001 Annex A controls (thanks Mohan).  Updated the title of ISO/IEC 27031 from the FCD.  Noted the imminent release of a revised and ISO27k-aligned ITIL v3 security book.
• November 2009: minor updates to the status of various ISO27k standards, drawn from the agenda for the SC27 meeting this month in Redmond.  Added yet more advice to the FAQ section on choosing risk analysis methods/tools.
• October 2009: after a discussion on the ISO27k Forum, relaxed the criteria for forum membership to welcome on board information security pros who are at the very earliest stages or are perhaps merely considering implementation.  Also published a selection of the kind and insightful comments received from Forum members during that discussion.  Added a Q&A re policy length.
• September 2009: cited two NISTIR papers.  Outlined the certification auditor’s interest in ISMS internal audits in the FAQ.  Updated the ISO27k Toolkit with additional papers on classification kindly contributed by Mohan Kamat.  Added yet more CMS and risk management systems to the ISO27k FAQ.  The ISO27k Forum has over 1,700 members.  Linked to an IBM paper on the business value of information security (thanks John).  Expanded on the FAQ about involving the whole organization.  Updated the feedback page.
• August 2009: added a Guideline on people asset valuation and Roles and responsibilities for information asset management to the ISO27k Toolkit page, thanks to Mohan Kamat.  Updated the page on ISO/IEC 27003 to reflect the FDIS version.  Updated the history of ISO/IEC 27002 and BS7799.  Reviewed a book on implementing an ISMS in a Windows environment.  Updated the list of NIST SP800 standards.  Started an FAQ on ISMS content management systems (we will be adding more product links over the next few weeks) and another FAQ on ISO27k conformance vs compliance vs certification.  Hyperlinked the FAQ contents list.
• July 2009: updated the PDF version of the ISO27k FAQ for those who would rather print it out to contemplate in the “little room”.  Added a Q&A to the FAQ about ISMS metrics.  Purged broken links throughout the site [if you find any more, do let us know].  Noted an ISMS implementation guidebook by Ted Humphreys.  Update on the new ISO27k standard on outsourcing - ISO/IEC 27036 - and on part one of the network security standard ISO/IEC 27033.  Added a new white paper - a case study on implementing an ISMS using PMBOK (thanks David).  NIST SP800-53 rev C was released at the end of the month and is well worth a look by all ISO27k users.
• June 2009: the ISO27k Forum has amassed a community of over 1,600 members!  Updated the ISO27k Toolkit to version 3.7 with additional content from Richard and Thomas.  Over 5,600 organizations have been certified to ISO/IEC 27001.  Added advice on preparing the Risk Treatment Plan to the FAQ.  Noted another ISO27k implementation guidance book.
• May 2009: added chaRMe information security risk management support tool to the list in the FAQ.  Provided info on ISO/IEC 27037.  Corrected the description of the Proteus tool.  Updated several ISO27k pages following the SC27 meeting in Beijing.  Updated the FAQ with info on Lead Auditor and Lead Implementor ‘qualifications’ (short training courses really).  ISO/IEC 27000 has been released, and it’s free of charge!
• April 2009: ISO/IEC 27011 was published by ISO/IEC in 2008 after all, despite searches on the ISO site initially coming up empty (was fixed after we reported it).  The final comments on ISO/IEC 27000 have been addressed so that one is finally about ready to roll.  Hundreds of pages of comments on ISO/IEC 27003 and 27004 do not bode well for either standard, especially as these had both progressed to FCD stage.  Welcomed our 1,500^th member to the ISO27k Forum.  The next SC27 meeting in Beijing is rapidly approaching.  Added another view of the certification process to the ISO27k Toolkit (thanks Howard).  Added an FAQ comparing the PCI-DSS checklist approach to ISO27k.  Updated the ISO/IEC 27003 page with info from the FCD.  Corrected the title of ISO/IEC 27011.  New project approved for ISO/IEC 27036 (outsourcing).  The ISO/IEC secretariat has been referring to ISO/IEC 27009, not ISO/IEC 27013 as previously advised, for the proposed ISMS/ITIL combined management system standard.
• March 2009: updated the ISMS metrics examples paper and released version 3.5 of the toolkit.  Minor updates to the online ISO27k FAQ but more significant updates to the PDF version.  Added a link to a SecureAware demo by Neupart, plus a link to Meycor KP.  Updated the website visitor survey results (further feedback is always welcome!).
• February 2009: added stochastic techniques, Risk IT, ISO/IEC Guide 73 and a British generic risk management standard to the information security risk analysis methods listed in the FAQ.  We’re fast approaching 60 methods!  Added a section on ISMS auditing to the FAQ, and another Q&A about limiting the ISMS scope to IT.  Changed to an off-site link for the website user survey in an attempt to speed up the dreadfully slow page loading.  Added links to BERR’s descriptions of most sections of ISO/IEC 27002.  Repeated questions up front in the FAQ quick links section.  Noted Brian Honan’s new book on implementing ISO27001 under Windows.  Updated the page for ISO/IEC 27032 on cybersecurity.
• January 2009 (a busy month!): noted IIA’s GAIT-R risk analysis method in the FAQ and other standards pages.  Updated the website visitor feedback.  Added pragmatic implementation tips throughout the FAQ.  According to a diagram from SC27/WG1 convenor Ted Humphreys, the infosec governance standard will become ’27014 not ’27009 as we originally thought.  The ISMS guideline for financial services will probably be ’27015 and the ITIL/ISMS guideline will be ’27013.  [Please don’t shoot the messenger for these changes!  It’s a drawback of trying bringing you preliminary information as early as possible, perhaps too early sometimes.]  Added a Google search box to the home page as requested.  The number of ISO/IEC 27001 certified organizations passed 5,190 at the end of 2008!  Added a paper detailing the ISMS documents mandated by ISO/IEC 27001 to the ISO27k Toolkit (thanks Osama).  The 1^st CD of ISO/IEC 27035 on incident management has been issued in SC27 for comment.  Added a new Q&A to the FAQ about mandatory controls.  Updated the process diagrams in the ISO27k Toolkit (thanks again Osama!).  Added Delphi to the risk analysis methods in the FAQ.  Added a begging page to solicit donations towards our costs incurred in maintaining this site.
• December 2008: updated the ISO/IEC 27033 page following release of the FCD of 27033 Part 1.  Noted ISO/PAS 22399 standard on incident preparedness and operational continuity management on the other standards page.  Added another 18 risk management and GRC products to the ISO27k FAQ (thanks to Hakimuddin Gheewala!).  Noted release of BS 10008 on protecting electronic forensic evidence.  The number of ISO/IEC 27001 certified organizations passed 4,987 at the end of November.  Listed two more BSI ISO27k guidelines.
• November 2008: further information emerged from the Cyprus meeting.  Added new pages for ISO/IEC 27009, 27012 and 27013 and updated anticipated publication dates etc. for other ISO27k standards.
• October 2008: published the remaining ISO27k implementation case studies by Stiki.  PCI DSS has been updated.  Added OCTAVE Allegro to the list of risk analysis methods in the ISO27k FAQ.  Suggested that new members to the ISO27k Forum might scan the archives and FAQ to avoid repeating common questions.  Explained step 14 of the ISO/IEC 27001 certification process.  [The FAQ needs sorting out - one day].  Published a revised mind-map summarizing ISO/IEC 27002.  The number of ISO/IEC 27001 certified organizations hit 4,848 at the end of September.  Made various updates following the Cyprus meeting of SC27 earlier this month, including a new page for ISO/IEC 27012.  Moved the website visitor feedback page underneath the visitor survey.  Added a new page for ISO/IEC 27035.  Described the structure of ISO/IEC 27001.  Linked to a CD of STIGs and associated checklists etc., ideal for developing corporate technical security standards.  Added info about ISO TR 13569.
• September 2008: added a neat tag line about the ISO27k Forum (“where every contribution is treasured and every member valued”) courtesy of two Forum members celebrating their ISO/IEC 27001 certification (well done Richard and Dr Hasan!).  Added advice to the FAQ on desirable characteristics of an ISM/CISO (thanks Wawet).  Refined the rules for the ISO27k Forum to mention copyright compliance.  Added a Q&A with advice to ISMS implementation project managers to the FAQ (thanks Nathan), and noted vsRisk and RA2 risk analysis software.  Linked to deux livres blanc on ISO27k topics (merci bcp Gérôme!).  Added a Delicious bookmarklet to the home page.  Published three Stiki case studies concerning ISO27k implementations.  Added another Q&A to the FAQ, this one on documenting your ISMS.  Added a new page to share website visitor feedback from the survey.  Have you had your say yet?
• August 2008: added info on ISO/PAS 28000 on supply chain security.  Referenced FMEA in the ISO27k FAQ and added an FMEA spreadsheet to the ISO27k Toolkit (thanks Bala).  ISO 27799 was released in June (don’t know how we missed it!).  The 2^nd draft ISO/IEC 27034 on application security has a slightly revised title.  2^nd drafts of ISO/IEC 27007 on ISMS auditing and ISO/IEC 27031 on business continuity have been released to JTC1/SC27 members for comment.  Added yet more risk analysis methods and tools to the FAQ.  Repaired a broken link in the toolkit and gave NetObjects Fusion a stern ticking-off.  Some 4,700 ISO/IEC 27001 certificates have been awarded, reversing a slight dip in the graph compared to the normal trend.  Published the whole ISO27k Toolkit as a single ZIP file for easier downloading.  Published the whole ISO27k FAQ as a PDF for easier printing.  Linked to the pre-release info on PCI DSS v1.2 under other standards (thanks Anton) and to SOMAP’s risk analysis method in the ISO27k FAQ (thanks Adrian).  Started using Google Analytics to find out which parts of the site are the most popular.  Added a survey to gather feedback from our website visitors.
• July 2008: we’ve moved office so altered the address in the privacy policy.  Added an information classification guideline to the ISO27k Toolkit (thanks Michael).  NIST SP800-55 Revision 1 on information security metrics released.  Added a paper describing roles and responsibilities for contingency planning to the ISO27k Toolkit (thanks Larry).
• June 2008: updates on the other standards page outlining the latest 2008 versions of ISO/IEC 12207, 15288 and 38500 (thanks Nigel!).  Update re FCD voting on ISO/IEC 27000 by September.  Added an FAQ section on information vs IT security.  Added information on the multi-part network security standard 27033 and ISMS implementation guideline 27003.  Added brief mentions of FRAP, FAIR and COBIT to the risk assessment section of the FAQ.  ISO/IEC 27005 released.
• May 2008: altered the page layouts.  The design is still not quite right but will just have to do for now.  Substantially updated the ISO/IEC 27033 page with information on the existing ISO/IEC 18028 standard from which 27033 will be derived.  Added ISO 38500 IT governance standard to the other standards page.  Summarized and commented on the FDIS of ISO 27799.  Updated the ISO27k Toolkit overview and contents to 3v1.  Updated most page descriptions to match the contents (doh!).  Added info on accreditation bodies and accredited ISO/IEC 27001 certification bodies to the FAQ.
• April 2008: created a separate page for the ISO27k Toolkit, moving the contents over from the white papers page.  Added an ISMS high-level policy and scope examples to the toolkit.  Noted the draft ISO 31000 and 31010 risk management standards plus Guide 73 under other standards.  Added “DIS” to the ISO/IEC acronyms listed in the FAQ.  Linked to 2 new NIST SP800 drafts.  Updated numerous ISO27k pages and added new pages for ISO/IEC TR 27008 and ISO/IEC 27010 following the SC27 meeting in Kyoto this month  Also updated the other ISO27k standards page with preliminary information on proposed work items.  By the end of April, 4,489 organizations were certified against 27001.

• March 2008: published release 1 of our ISMS Audit Guideline.  Moved and extended information on the ISO27k Forum from the FAQ to a dedicated page.  Added notes about the study group looking into a new standard for ISMS technical audits, and ISACA’s exposure draft guideline.  Expanded the FAQ item on ISO/IEC acronyms and committee names.  Outlined the new ICT DR standard ISO/IEC 24762 to the other standards page, with a link from ISO/IEC 27031.  Expanded the ISO/IEC 27005 page with an outline of risk analysis methods worth considering.  Linked to the California State guidance on implementing ISO/IEC 27002.  Reviewed an incident management book from BSI.
• February 2008: published our infosec glossary.  Increased the page width across the entire site to make better use of typical LCD screen sizes.  Fixed a handful of broken links.  Invited visitors to get involved in the project working to develop ISMS audit guidelines.  Tidied up some links.
• January 2008: expanded advice on security policies and sorted the list of risk analysis methods in the ISO27k FAQ.  Published a pair of papers: a case study and business case for ISO27k.  Updated the pages on ISO/IEC 27031, 27032 and 27034.
• December 2007: uploaded examples of information security metrics aligned with ISO/IEC 27002 from an ISACA workshop.  Linked to an ISO survey (thanks Javed).  Fixed a handful of broken links.  Noted good progress on ISO/IEC 27000.  4,140 organizations were 27001 certified by the start of December 2007.  Clarified the SoA and RTP descriptions in the ISMS implementation process outlined in the FAQ.  Uploaded a white paper listing the top information security threats, vulnerabilities and impacts, along with risk scenarios and suggested controls.
• November 2007: added Microsoft’s security risk management guide to the list of risk analysis methods referenced in the ISO27k FAQ (thanks Javier).  Also referenced NIST SP 800-39.  Updated the status of standards up to ISO/IEC 27011.  Updated the ISMS documents checklist.  Uploaded a laptop security policy sample.  Minor updates on most of the ISO27k standards pages following feedback from the JTC1/SC27 meeting in Lucerne last month.  Published a Spanish version of the ISO/IEC 27002 implementation guidance and metrics paper, along with an updated English version with fixed hyperlinks, and BS 25999-2 has been released (thanks again Javier).  Added a bunch of links.
• October 2007: published an infosec risk analysis spreadsheet, a router security checklist aligned with ISO27k and a revised information asset inventory doc.  We’ve heard that part 2 of the business continuity standard BS 25999 is due to be published early in November (thanks Rob).  Added more standards and info to the other standards page, drawing on an excellent summary of security standards in the APEC-TEL handbook.  Published a risk register template (thanks Madhukar).
• September 2007: updated the ISO/IEC 27000 page to note the second Committee Draft.  Similarly for ISO/IEC 27005 (second Final Committee Draft).  Wrote about getting hold of and contributing to draft standards in the FAQ.  Added a page for our growing collection of ISO27k white papers, including a new generic checklist of ISMS documents.  Started adding sample ISMS documents too.  Updated the ISO/IEC 27033 page.  Uploaded an annotated presentation on infosec frameworks (thanks Rob).  Published a Visio version of the Corrective Action Procedure, then an example ISMS internal audit procedure (thanks Richard) and a document outlining a typical information security management function and key roles.  ISO/IEC 27000 will probably be free of charge!  ISO/IEC 27011 is progressing relatively quickly.  The ISO/IEC 27001 certificate count passed 4,000 (4,036 in fact).
• August 2007: clarified history by retracing the origins of ISO/IEC 27002.  Made page titles more descriptive.  Noted BSI DISC PD003, ISO27k’s progenitor, and a rumoured predecessor from NCC.  Published a graph showing growth in ISO/IEC 27001 certificates issued over the last two year.  Updated the other standards page with more information on ISO 9000 and PCI DSS.  Added info on ISO/IEC 18028. Added more info on accredited ISMS certification bodies to the FAQ.  Some 3,879 organizations have been ’27001 certified.
• July 2007: noted ISO 31000 (draft) guidance on risk management in the FAQ.  Revised the site map to describe each page in a few words or less.  Started spartan pages for ISO/IEC 27032 and ISO/IEC 27034.  Published ISO/IEC’s confirmation that ISO/IEC 17799:2005 became 27002:2005, and a press release on the same subject.  It has been proposed that ISO/IEC 18028 be renamed ISO/IEC 27033.  The telecomms implementation guide will be ISO/IEC 27011.  Noted BSI’s release of BS25999-2 in draft for comments this month.  The number of ISO/IEC 27001-certified organizations reached 3,781.
• June 2007: updated the FAQ with advice on creating an inventory of information assets .  ISO/IEC 17799 has been renamed ISO/IEC 27002.  ISO/IEC 27001 certifications passed 3,600.  Added a little to the explanation of ISO/IEC JTC1 SC27 in the FAQ.  Noted that ISO/IEC 27031 is to be a business continuity standard, not telecomms implementation guidance (we don’t now know what the latter standard’s number will be).  Added a link to NFPA 1600 emergency management and BCP standard on other standards.  Having (quite rightly) been pulled up elsewhere for not using the full names, added the “/IEC” part to the ISO/IEC standards listed on this site.  Published version 1 of the ISO/IEC 27001/2 implementation guidance and metrics paper (later revised).
• May 2007: ISO/IEC 27006 was quietly released by ISO/IEC in February (don’t know how we missed it!).  ISO/IEC 27001 certifications have passed 3,500 and the ISO27k Forum has over 500 members.  Linked to a useful ISO27k implementation guide/manual from Australia.
• April 2007: added a disclaimer regarding our (non-)relationship to ISO/IEC.  Updated information on X.1051 / ISO/IEC 27011 (thanks Benjamin).  Published a flow chart diagram of a generic ISO/IEC 27001/2 implementation and certification process, and some more detailed explanation in the FAQ.  Updated the risk analysis FAQ section to mention the Australia/New Zealand risk management standard 4360.  Like expectant parents, we’re anxiously awaiting official news of the renaming of ISO/IEC 17799 to ISO/IEC 27002 ...
• March 2007: updated the FAQ including an outline of ISO/IEC committee JTC1/SC27’s 5 working groups and a section on risk analysis.  Set up pages for ISO/IEC 27031, the telecomms industry ISO/IEC 27002 implementation guidance, and ISO 27799, the health industry’s equivalent.  Uploaded a mind map summarizing ISO/IEC 27002.  The Xisec ISMS International User Group site is evidently being redeveloped so we’ve suspended the link.
• February 2007: it turns out that ISO/IEC 27007 is the number for a proposed ISMS auditing guideline, not a DCP standard as we originally guessed (sorry!).  ISO/IEC 17799 is due to become ISO/IEC 27002 this April.  Made a slight update to the description of risk management standard ISO/IEC 27005, thanks a presentation to ISACA by Peter Weiss.  Noted ISO 27799, a healthcare industry implementation guide for ISO/IEC 27002 (published in June 2008).  The count of ISO/IEC 27001 certified organizations has passed 3,300.  The ITU has revised its ISO/IEC 17799 implementation guidelines.
• January 2007: 3,246 organizations were certified ISO/IEC 27001 compliant at the start of 2007.  ANSI sells PDFs of ISO/IEC 27001 and ISO/IEC 27002 for just US$30 each!  Linked to a useful ITCi cross-reference matrix.  Removed reference to the BSI booklets by Ted Humphreys as they are nowhere to be seen on BSI-Global  :-(  Referenced a hard disk encryption standard in preparation: IEEE 1619.
• December 2006: continued building the FAQ with advice on starting an ISO/IEC 27001/2 implementation.  More questions and (especially) answers are always welcome.  Added ITU to the other standards page with a note about X.1051.
• November 2006: NIST has released the final version of Special Publication SP 800-100, their information security handbook.  Corrected links to the register of ISO/IEC 27001 certificates.  Answered an FAQ about getting started on ISO/IEC 27001 implementation.
• October 2006: revised the description of ISO 27006 which it turns out will not be a disaster recovery standard but will offer guidance to accredited ISMS certification bodies (thanks for the update Javier).  Updated the other ISO 27000-series pages with information from SC27.  Revised the privacy policy since we are not using other CISSPs to administer the forum after all.  Linked to a Canadian ISO 17799 user group meeting in Toronto.  Tweaked site design and added a simple logo (any graphic artists reading this who can do better are invited to contribute!).  Referenced PAS77, a new IT service continuity management standard, and BS 25999-1 that will soon replace PAS56.  Finally got around to referencing two guidebooks on ISO/IEC 27001 published last year by BSI.  ISO/IEC 27001 certifications have now passed the 3,000 mark!  Updated the NIST Special Publications list.
• September 2006: tidied-up the index on the ISO/IEC 27002 page.  Referenced records management standard ISO 15489 and sorted the ISO standards on the other standards page.
• August 2006: answered another FAQ re what happens during the certification process itself.  Redesigned the home page.
• July 2006: announced the release of ISO 18043 covering IDS.  Set up the discussion forum (email reflector, newsgroup) on Google Groups for those with a professional interest in implementing the standards.  Extensively revised the FAQ and links pages to list many more sources of information and guidance on ISO/IEC 27001/2.  Added a graphical site map.  Published a privacy policy.  Outlined certification and accreditation in the FAQ (twice).  Noted NIST/NSA/DISA’s invaluable STIGs on the other standards page.  Caved-in to demand by publishing guide prices for ISO27k standards in the FAQ.  Added a page of book reviews.  Added some more NIST Special Publications under other standards and quick links to navigate the same page.  ISO/IEC 27004 is in circulation as a Working Draft.
• June 2006: provided more information re ISO TR 18044 on security incident management.  Added ‘quick links’ contents list to the FAQ.  Updated links to BSI metrics booklets.
• May 2006: linked to the Australian Government Information and Communications Technology Security Manual.  Updated the other standards page re NIST Special Publications and referenced a new BSI security metrics booklet on the links page.
• April 2006: NIST FIPS 200 has been released - now listed on the other standards page.  Linked to an ISACA paper about the things to do post-certification.  Added links to ISM³ and NIST SP 800-55 on the other standards page.  Made minor updates to ISO/IEC 27000, 27001, 27002, 27005 and 27006 pages following a BSI presentation to ISSA.
• March 2006: updated the ISO/IEC 27002 / ISO/IEC 17799 / BS 7799 page to outline the content of the 2005 version.  I do hope the new number will stick.  Updated the ISO/IEC 27006 page with info on SS507, the Singaporean standard for DR service providers (thanks again Catalin!).  Updated the ISO/IEC 27003 page with preliminary information on the implementation guide structure.  Updated the ISO/IEC 27005 page to note the delayed release this month of BS 7799-3:2006.  Linked to the excellent www.ISO27000.es for Spanish-speaking information security professionals.
• February 2006: corrected NIST’s full name on the other standards page (thanks Jim).  Answered an FAQ about keeping up with ISO27k news.  Referenced a paper by Rebecca Herold.  Noted delayed release of BS 7799-3.  Updated info on ISO/IEC 27005 and ISO/IEC 27006, and noted use of TR 13335-3 and -4 for the former, and SS507 for the latter (thanks Catalin!).
• January 2006: referenced PAS56 in other standards.  The number of BS 7799 Part 2 / ISO/IEC 27001 certified organizations passed 2,000.
• December 2005: ISO 20000 (ITIL) and COBIT v4 released - see the other standards page for links to more information.  These are important standards supplementing the ISO27k series.
• October 2005: ISO/IEC 27001 has been released a month earlier than we expected and refers to ISO/IEC 17799:2005 - various pages updated accordingly.  Added an initial information page on ISO/IEC 27006, and a guide to ISO’s acronyms for standards passing through the process to the FAQ (thanks Guy Coulleit).
• September 2005: added links on the other standards page to a whole bunch of NIST standards and the ISF Standard of Good Practice (free!).
• August 2005: BS 7799 part 2 certifications have passed 1,700!  Added some information on BS 7799 part 3 which is expected to become ISO/IEC 27005.  Updated pages on BS 7799 part 2 (ISO/IEC 27001) and ISO/IEC 17799 (ISO/IEC 27002).  Added “site last updated” field to the home page.  Centered all pages.
• July 2005: the FDIS draft of ISO/IEC 27001 was released.  ISO/IEC 27000, 27003 and 27005 pages were updated (thanks for the info Steve).
• June 2005: mentioned the release of the new 2005 version of ISO/IEC 17799.  Noted Systems Security Engineering - Capability Maturity Model under the >other standards page.  Restructured the site more logically and added breadcrumb trails and page descriptions.  Published initial information about ISO/IEC 27003.
• May 2005: domain registered, website built.  Changes will be frequent, especially whilst the website is knocked into shape and then it will continue evolving as the ISO27k standards are developed.  Call back often!

Live on the edge or bookmark and revisit this page from time to time to keep up with developments in the exciting and dynamic world of ISO27k.