ISO/IEC 27003 revision

This month I am slaving away, diligently reviewing a Committee Draft of the next release of ISO/IEC 27003, updating the 2017 second edition.

ISO/IEC 27003:2017 provided 'explanation and guidance' on ISO/IEC 27001:2013. In practice, that meant mostly elaborating quite formally on the mandatory requirements from the main body of '27001.

According to the editorial team, the standard revision project was supposed to take place in three phases:

1. Reference and align to the 2022 versions of '27001 and '2; consolidate the Guidance sections; avoid any suggestion of new ISMS requirements; then ...

2. Adopt plain English; and finally ...

3. Expand the ISMS implementation guidance.

In practice, phase 2 evidently commenced early, overlapping and merging with phase 1, while there's a good chance phase 3 will be dropped from this project to be progressed separately as a new standard (if the associated proposal is approved).

So now I'm busy systematically reviewing the CD and preparing NZ's expert comments to be formally submitted by christmas.

The CD is over 50 pages long. So far, I have scribbled roughly 5 to 10 comments per page, meaning if I wrote them all up separately, there would be hundreds of NZ comments. The committee has a finite capacity and time for considering and addressing comments, so a more reasonable NZ submission would consist of up to a few dozen comments, ~100 at most, which will involve combining multiples of the same issue into fewer, consolidated comments and prioritising them all, dropping the less significant ones.

With that goal in mind, I'm immersed in the detailed page-by-page review, scribbling notes as I go including early thoughts about the more significant and widespread issues to pull out as submittable comments.

Adopting ISO’s guidance on plain English means potentially a lot of changes to improve readability, understanding, translation and applicability of the standard, such as (I'm paraphrasing):

• More, shorter sentences (max 20 words);

• Lots of headings and structure;

• Simple tables and figures;

• Proper grammar and spelling;

• Consistent use of key words to distinguish mandatory requirements from discretionary guidance and suggestions;

• Limited use of jargon with terms formally defined.

AI/LLM could assist with all of those points e.g. drafting a Word macro to measure the length of sentences in the CD, producing a table or graphic showing the distribution:

I could provide that in a overall editorial comment with a suggestion for the editors to track down and shorten the worst offenders. However comments that do not offer specific/individual wording changes are often summarily rejected by the committee, so to push the point home, I may have to elaborate on some of the worst offenders individually, such as that 200 word sentence on the far right of the distribution graph (!). I think it is a single sentence consisting of multiple listed items or bullet points, a situation not really covered by ISO's plain English guide.

Aside from a suggestion to shorten unnecessarily lengthy sentences, other experts typically pick up on poor grammar, spelling and punctuation so I plan to leave that to them, instead focusing my attention and remaining time on the document structure, headings and tables/figures (of which there are presently none).

Meanwhile, you are welcome to download my plain English version of ISO/IEC 27003 that I wrote entirely from scratch and formally offered to the committee at the start of this revision project back in 2024. Although it was summarily rejected outright (and I'm still reeling from that decision, dazed and confused!), my paper is available today, for free. I released it following the rejection in 2024 and updated it this year, whereas the revised 27003 is not due out until 2027. So, although it may be a reject, there are certain advantages to not having to thrash things out formally through a large international committee ...