Anyone else notice that the ISO/IEC 27000-series is exploding. First we had 27001 for managing security (ISMS), then 17799 was renamed to 27002 for consistency with 27001. Now, OMFG:
# ISO/IEC 27000 – an introduction and overview for the ISMS Family of Standards, plus a glossary of common terms
# ISO/IEC 27003 – an ISMS implementation guide
# ISO/IEC 27004 – a standard for information security management measurements
# ISO/IEC 27005 – a standard for information security risk management
# ISO/IEC 27007 – a guideline for ISMS auditing (focusing on the management system)
# ISO/IEC 27008 – a guideline for Information Security Management auditing (focusing on the security controls)
# ISO/IEC 27011 – an ISMS implementation guideline for the telecommunications industry (also known as X.1051)
# ISO/IEC 27031 – a specification for ICT readiness for business continuity
# ISO/IEC 27032 – a guideline for cybersecurity (essentially, ‘being a good neighbor’ on the Internet)
# ISO/IEC 27033 – IT network security, a multi-part standard currently known as ISO/IEC 18028:2006
# ISO/IEC 27034 – a guideline for application security
# ISO/IEC 27799 – an ISMS implementation guideline for the healthcare industry
What happened to 6? Perhaps I should be pleased with this laundry list of options, but in fact it makes life quite a bit more complicated right now. I just had to explain 27003 even though it is still in draft form, just because someone wanted to work on ISO compliance for 27002. If you live in a country, let alone a state, that has compliance governance of its own, will you deal with the ISO? Something tells me if you do business across national boundaries this may be your only path of communication, and that is what the ISO is banking upon. On the other hand, I have already met a few people who think international standards are somehow an insult to their sense of national pride and want nothing to do with them.