February 5, 2010

ISO 27003:2010 Standard Now Available

Good afternoon everybody,

Last post for this week :) In case some of you didn't noticed, the ISO 27003 standard version 2010 was published this week.

This standard  focus on the key elements and deployment activities necessary to successfully design and implement an ISO 27001 based Information Security Management System (ISMS).

It describes the various steps that you need to go through to specify, design, define and implement the requirements of the ISMS from it's inception to a "certifiable" status and provides guidance on how to plan the ISMS project and get management endorsement.

In the next trainings we will go in more details on this standard content and why it might appeal to you if you are responsible for implementing an ISMS within your organisation.  For those of you who ever heard of the BIP documents from the BSI, you must be aware that the objectives are the same and that they are both similar in nature.

The 2010 official release is shorter (68 pages) than the 2007 originally planned draft who accounted for no less than 110 pages but in this case, quality comes before quantity.

Every ISO practionners and consultants should have their own copy!  Don't forget that this is copyrighted material, every member of the project team should also have it's named copy unless your company or the client have a site license!  It can be purchased in electronic or paper form from the ISO web site at a cost of 168.- Swiss franc plus shipping if applicable.

Have a great week end !

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

2 comments:

  1. I have read the ISO 27003 standard, and must admit I am bit of dissapointed - it's intention was to help an organization implement ISO 27001, but is too complicated, and have too little examples from real life. It also does not give any guidelines on 133 controls. I expected much more.

    ReplyDelete
  2. I agree that the standard do not provide you with implementation guidelines for the 133 controls but I think it is fair to say that the 27002 provides sufficient information in that regard. If you end up in a situation where 27002 is not enough, you can allways fallback on ITIL for A.10 - Comm and Ops Management, BS2599/DRI/BCI for A.14 - BCM, or ISO 18044 for A.13 - Incident Management... The list goes on and on :) I will try to focus on that aspect in my future training.

    ReplyDelete