Bright Stove

Reflecting information risk journey

Archive for September 2007

Bye-bye password

leave a comment »

Written by mengchow

September 27, 2007 at 2:40 pm

Three little pigs crossed the JTC1 bridge

leave a comment »

The three new work items proposals in WG4 (part of ISO/IEC JTC 1/SC 27) passed the JTC1 balloting this week. So the three new projects — (1) ICT Readiness for Business Continuity; (2) Guidelines for Cybersecurity; and (3) Guidelines for Application Security — are now on the development track. In addition to this, revision for the Network Security standard (ISO/IEC 18028) has also been approved through the balloting process. As for the numbering of all these projects, they will be put on the track to cross another JTC1 bridge next week. 

Written by mengchow

September 26, 2007 at 7:26 am

Posted in Security Standards

On ISO 27001 Report: ISO 2703n: Latest Developments

with one comment

Just read some reports on the roadmap and numbering of the ISO/IEC 2700x series of standards at the ISO 27001 Report blog site: "ISO 27001 Report: ISO 2703n: Latest Developments". Also noted that there are some interest in the infosec community about this recent development – "ISO Standards – What’s the future?."

While it is true that the series of numbers, 27031 to 27040, has been allocated for standards that WG4 is currently developing, and that WG4 has in the May 2007 meeting held in Russia, attempted to align the first few numbers to the standards that are currently being developed, they have not been formally approved by JTC1. As such, it is still pre-mature to use these numbers to refer to the new series of standards in WG4. In the meantime, WG4 will be putting up a resolution for these new allocations to be balloted by National Bodies at JTC1, which should take place within 2007 or early 2008. I should report the outcome of the ballot then.

Another more important (than numbering) thing that I want to highlight briefly here relates to the "ICT Readiness for Business Continuity" standards. The "Compliance Portal" reports that "ISO 27031 will be a Business Continuity standard". This is not entirely correct. What the members of WG4 have in mind and is really emphasizing is "ICT Readiness for Business Continuity", but not just "Business Continuity". It is important to focus on the complete title, but not only one part of it, which is what many others have misunderstood the intention of this standard for. Business Continuty is something that TC 223 is working on. Also, as this standard materializes, we should also see a more encompassing scope for "Business Continuity" here (in the ICT domain), in which our ICT systems (including people, process, and technology) need to be prepared to respond as the related events emerge. I have in my recent blog, "Football match in Mandrogi, Russia", reflected on some of the principles of readiness. As this standard evolves, I will report more about it then.

Written by mengchow

September 22, 2007 at 3:03 pm

Posted in Security Standards

%d bloggers like this: