27000 & 27017 updates "soon-as"

Updates to both ISO/IEC 27000 and ISO/IEC 27017 have passed their votes at FDIS stage.

27000 (the overview and introduction to the ISO27k standards) received just a few minor comments and should be released very soon (which means within months, in ISO-land).

27017 (cloud security) received about 10 pages of comments - mostly minor grammatical corrections though, so it too remains on-track for release soon (hopefully this year).

They should be published "soon-as".

I often moan about ISO's inordinately slow and tedious processes for developing standards, involving numerous cycles of requesting comments, receiving comments, discussing comments and moving ahead. The cycle time varies but is normally about 6 months or more. The number of cycles also varies again 6 is not untypical, leading to the roughly 36 month/3 year process from conception to publication of each release, seldom sooner but often longer - and, ultimately, some draft standards remain contentious and don't reach sufficient consensus, so the projects are cancelled without producing anything except aggravation and disappointment.

ISO is aware of the constraints and the resulting problems, especially in fast-moving fields such as IT, information or cybersecurity, IoT and AI. However, substantially reducing the cycle time or number of cycles to speed things up risks reducing the quality and value of the end products, and more importantly the intended outcome which means securing the global social and economic benefits arising from 'standardisation', as opposed to proprietary, incompatible approaches.

For any one standard, the process is essentially serial, proceeding phase-by-phase, cycle-by-cycle, in sequence. Some shortcuts exist (e.g. producing a reasonably complete, sound and uncontentious initial draft means less effort and time to reach consensus) but success is far from guaranteed, especially if there is strong opposition from any of those involved or inept handling of changes and issues along the way.

Multiple standards projects are ongoing in parallel, which presents another way to speed things along (e.g. working on alternative approaches to the same topic across separate standards), but again there are risks such as conflicts between standards, projects and those involved, and customers/users when released.

It's messy.