Bright Stove

Reflecting information risk journey

7th meeting of WG 4 at Redmond, WA

leave a comment »

Six months have passed since the Beijing meeting. This week, we commence the 7th meeting of the ISO/IEC JTC 1/SC 27/WG 4 at Redmond, Washington, USA. The meeting is hosted by the US national body (NB), represented by NIST, and sponsored by Microsoft, hence at the MS conference center in Redmond. With autumn coming to an end, the streets in Redmond are covered with falling leaves of various colors–red, yellow, and amber—and franked by trees of beautiful shades of the same all over.

In attendance are delegates from a number of NB, including Africa, Brazil, Canada, France, Germany, Japan, Korea, Malaysia, Singapore, Spain, Sweden, UK, and US (as far as I can recall). Liaison organizations representing FIRST, SC 7, and ITU-T/SG17 are also in the meeting to contribute to the various projects. In terms of the agenda this week, WG 4’s focus remains at development of the usual projects, from 27031 to 27037. The good news is that part one of 27033 on network security has reached FDIS status after the follow-up teleconference meeting that was held in early June 2009, so this is now outside of WG 4 agenda, awaiting for JTC 1 ballot for its final publication. All the projects have continued to receive substantial contributions from NBs to improve their contents and structure. There are however much editorial work and discussion required of the respective project editors to go through in the week to bring the projects to the next stage as appropriate. At critical juncture (requiring to move from WD to CD, or CD to FCD) are 27032 (Guidelines for Cybersecurity, at its 3rd WD), 27033-2 (part two of network security, at its 4th WD), and 27035 (information security incident management, at its 2nd CD). These projects run the risk of being cancelled if they cannot elevate to the next level, and could not justify for extension.

In addition to these projects that are in development, the meeting will convene a study period on the subject of Redaction, and review new proposal on Storage Security (referring to network storage in particular), and security baseline relating to supply chain management. The latter is relating to the Guidelines for Outsourcing (27036), but some felt that it is a specific area that requires a focused standard. Something for discussion anyway.

In parallel to the WG 4 meeting is the WG 1 meeting, in which much focus have been directed on the revision of the ISO/IEC 27001 and 27002 standards for information security risk management. These two standards have achieved unprecedented success in the past years in terms of its adoption worldwide. As a result, the group has gained much understanding of the strength and weaknesses of the standards. With the experience gained, a number of proposals (a few major ones, and a number of minor ones) have been suggested by various NBs for significant changes to the structure and contents of the standards. The success of these standards however mean that any changes to them are likely to impact the users community, including those organizations that have been certified and are relying on the standards to demonstrate information security governance to their management and customers. As the convener for WG 1 put it, it now has an economic consequent to consider.


Written by mengchow

November 3, 2009 at 12:02 am

Posted in Security Standards

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: