ISO27k standards

ISO/IEC TS 27028 moved a step closer to publication by passing a vote at DIS stage. When released in the middle of 2026, the standard will have a new title not now mentioning ISO/IEC 27002: Guideline on using information security control attributes and a succinct scope: This document provides guidance on the use of information security control attributes. The guidance set out given in this document is generic and is intended to be applicable to all organizations, regardless

ISO/IEC JTC 1/SC 27/WG 1 has two interesting new projects on the cards ... ISMS implementation First comes a proposal to develop ISMS implementation guidance, essentially rejuvenating the original ISO/IEC 27003 . When the standard's 2010 first edition was revised in 2017, the committee decided to reduce the implementation guidance, instead focusing on explaining the I nformation S ecurity M anagement S ystem requirements in ISO/IEC 27001 . At the time (and subsequently, t

When drafting technical standards, there are natural tensions concerning the audience, purpose and language used. On the one hand, 'technical' implies complexities and precision in the content, with details relating to science and engineering. This generally means writing for a competent and knowledgeable professional audience, providing specific details to guide and enable them to get to grips with the subject matter. A technical standard on, say, nuts and bolts would typi

An initial draft of this standard has been released to SC27 as the first W orking D raft, so I took the opportunity to update the info page. '27566 concerns age verification - techniques to determine the age of a website or app user, for example to prevent minors accessing adult materials. Part 2 will form a bridge linking the foundational concepts in part 1 with the analytical approaches in part 3. It will advise on how to ascertain the age verification objectives, parame

Before the sun came up this morning, fueled by strong coffee and prompted by yet another lame social media thread about this, I've written a new FAQ concerning disclosure of the S tatement o f A pplicability. On LinkeDin, there's the usual confusing muddle of concerns and conflicting advice when someone asked whether a company can share its SoA, adding that (according to someone on Reddit last night [allegedly]) the [certification?] auditor said they "cannot share the SoA bec