One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 4179676 |
| Date de publication | 2022-02-25 12:38:34 (vue: 2022-02-25 00:05:28) |
| Titre | Transition arrangements for ISO/IEC 27001 |
| Texte | Last week's release of a completely restructured ISO/IEC 27002:2022 has naturally prompted a rash of questions from anxious ISO27k users around the world about the implications for ISO/IEC 27001:2013, particularly on the certification aspects since '27002:2022 no longer aligns with '27001:2013 Annex A.The situation, today, is that ISO/IEC 27001:2013, plus the associated accreditation and certification processes, remain exactly as they were: Organisations that chose to adopt the standard are required to use Annex A of '27001:2013 to check that they have not accidentally neglected any relevant/necessary information security controls, documenting the associated justified decisions to include/exclude the controls in a Statement of Applicability.Accredited certification bodies are required to confirm that clients comply with the mandatory obligations in '27001:2013, including that SoA requirement among others, both during the initial certifications and any subsequent interim audits and re-certifications.In other words, it's business as usual ... but looking forward, there are of course changes afoot.A formal amendment to ISO/IEC 27001:2013 is currently being prepared:A draft of the amendment is already available through ISO if you can't wait for it to be finalised and released - which I understand is expected to happen in the next few months, possibly as late as August 2022 but hopefully sooner. The draft amendment essentially replaces Annex A with an equivalent that references and summarises the controls from ISO/IEC 27002:2022. It is likely to retain the succinct tabular format of the original Annex A, i.e. it will reference each control by its '27002:2022 clause number prefixed with "A." (for Annex A), then state the control's title, followed by a single sentence outlining the control. As before, it will not elaborate on that outline: readers should consult '27002 for the supporting explanation and implementation advice - typically half a page of detail per control - and/or look to other sources of guidance, of which there are many.There may also be minor wording changes in the main body clause about the SoA, specifically in the notes for clause 6.1.3. More specifically: |
| Envoyé | Oui |
| Condensat | certification 2022 2024 27001 27001:2013 27002 27002:2022 able about accidentally accreditation accredited achieve adds adopt advice affected afoot again against ahead aligns all already also amended amendment among and/or annex anticipate anxious any anyway apart applicability appropriate are around arrangements aside aspects assessment associated audit audits august available bang basics basis because been before being between bit blog bodies body both bridges brings business busy but can catalogues certification certification: certifications certified change changes check chose claimed clause clients committee completely compliance comply comprehensive concept confirm conformity confused constrained consult contacting continue control controls course currently cutting date decision decisions deliberate described detail details direction division documenting does doubt down draft dramatically drop dumbed during each edge either elaborate elsewhere equivalent essentially even ever exactly expected explanation fact feel finalised followed formal formally format forum forward from further gap generating get given good grace guidance half happen has have hence hopefully how iaf implementation implications include/exclude including information initial inspiration intended interim international involved iot iso iso/iec iso27k its justified key last late latest leaves led lie likely link list local/national longer look looking main maintaining mandatory many may meanwhile messy mine minor mitigate months more moreover morphed much naturally necessary need neglected new next nicely nobody nor not notes number objectives obligations one organisations original other others outline: outlined outlining over page particularly patently per period personally piece plus point possibly practices prefixed prepared:a present previously process processes product prompted purposes puts questions rash readers recommend reference references release released relevant/necessary remain replaces required requirement responsibilities rest restructured retain revising revision risks say security seeking sentence several shame should since single situation soa some something sooner sources specifically specifically: note standard standards state statement struggle subsequent succinct such suggest summarises supporting supports tabular take thank then those though through title today totally transition transitional trigger two typically unacceptable understand unless until use useful users using usual value very wait weakened week were:organisations which who will without word wording words world years your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.