ISO/IEC 27001:2009 and ISO/IEC 27002:2009

I’ve recently had the chance to hear a talk by Ted Humphreys, who – as editor of BS 7799-1:1999 and ISO 17799:2000 – was one of the fathers of ISO 27001:2005 and ISO 27002:2005. He is also the founder and director of http://www.iso27001certificates.com, the international ISMS certificates register.

While the talk itself was not much news, at the end Humphreys spoke about updates to the standard. According to him, a review cycle is going to start this April for both ISO 27001:2005 and ISO 27002:2005 (you know, formerly ISO17799:2005). A revised standard can be expected for 2009.

In particular in 17799 they are looking to add new controls. Input is gathered from practically any national standardization body. So if you got ideas for new controls this is where to bring them. What in my opinion is a little bit of a pity is that they are currently not thinking of dropping any of the existing controls. Things like limitation of connection time just don’t work against modern threats any more, in my humble opinion.

The management system itself, ISO 27001, according to Humphreys is not going to be changed a lot. At the moment there are no plans for new requirements. They have had some input regarding ambiguous or unclear clauses. Interestingly, one thing they want to clarify is the requirement to measure the effectiveness of selected controls. I still did not get around writing the third part of my ISO 27001 – The Good and the Bad Series (see Part I and Part II), but the topic was going to be this exact clause of the standard. It’s great that they want to clarify it in the next revision.

So, to sum it up, while in ISO 27001:2009 there will be only minor adjustments, we can expect lots of new controls in ISO 27002:2009. I can’t wait for it!

Picture of Bragging Wall by Beth77

Tags: 27001, 27002, Certification, Humphreys, ISMS, ISO, ISO 27001, ISO17799, ISO27001, ISO27002, Management Systems, Revision, Security, Standards