One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 5034617 |
| Date de publication | 2022-06-08 16:28:55 (vue: 2022-06-08 05:05:59) |
| Titre | Third edition of ISO/IEC 27001 coming |
| Texte |  An ISO/IEC JTC 1/SC 27 meeting last night was informed that the planned amendment to ISO/IEC 27001:2013 is to be absorbed into a new third edition of the standard to become ISO/IEC 27001:2022.Apparently, the new 2022 version of '27001 will have minor editorial corrections in the main body text (including one of the two corrigenda published previously), a small but valuable clarification to the notes on subclause 6.1.3, and a complete replacement for Annex A reflecting ISO/IEC 27002:2022.The transition arrangements are still uncertain but this is my understanding:Nobody will be able to use ISO/IEC 27001:2022 formally until it is published, hopefully on October 1st;The International Accreditation Forum will publish a mandate for the national accreditation bodies (such as IANZ here in New Zealand) at the same time, with details of the 3 year transition period:Accreditation and certification bodies will be required to update their processes, and train and prepare auditors for accreditation and certification against the new standard within a year of its release;Organisations may wish to be certified against the new standard as soon as the certification bodies are ready to do so, or may (continue to) use the old standard for up to three years beyond its release, meaning a full certification cycle;Already (right now), organisations are free to declare any or all of the controls in ISO/IEC 27001:2013 Annex A inapplicable in their Statement of Applicability, instead opting to use an appropriate selection of controls e.g. from ISO/IEC 27002:2022, NIST SP800-50, NIST CSF, ISF, COBIT, CSA, GDPR, PCI-DSS and whatever other sources they like (including entirely custom control sets) in accordance with the current ISO/IEC 27001:2013 clause 6.1.3 note 2, which says in part "The control objectives andcontrols listed in Annex A are not exhaustive and additional control objectives and controls may be needed." Regardless of where the controls come from, organisations must: |
| Envoyé | Oui |
| Condensat | 1/sc 1st;the 2022 27001 27001:2013 27001:2022 27002:2022 able absorbed accordance accreditation additional against all already also amendment andcontrols andindicate annex any apparently applicability applicable appropriate are areas arrangements audit auditors basis become beyond bodies body but can capable certification certified certifying checklist clarification clause clauses clear cobit come coming complete conducting confirm considerably continue control controls corrections corrigenda csa csf current custom cycle;already date declare depth details dss each edition editorial elements entirely especially even excluded exclusion exhaustive fact formally forum free from full furthermore gdpr given have hence here hopefully ianz implementation improved inacceptable inapplicable including inclusion incomplete information informed instead international isf isms iso/iec its job jtc justify knowing last least like listed main management mandate mandatory may maybe meaning meeting minor mitigate must:use national necessary need needed neglected new night nist not note notes now objectives october old one opting organisation organisations other out part partially pci period:accreditation planned prepare previously primary processes publish published rather ready reference reflecting regardless release release;organisations relevant remain replacement required right risks risks; risks;justify same says security selection set sets should since small soa some soon sooner sources sp800 standard statement status subclause substantially such supplemented system text than third three time train transition treat two uncertain understanding:nobody until update use valuable version weak whatever where which why will wish within worth would year years zealand |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.