The planned publication is sometime in 2012 although it had been previously been muted as 2011.
Readers of this blog may remember that ISO 19011 (Quality/Environmental Auditing Standard Update) was to have been published in June 2011 however, the final draft for public comment was so badly received that the proposed Standard was withdrawn in total and it was sent back to the 'drawing board'.
The 27001/27002 Standards have reached final committee stage, which is usually the precursor to a final draft for public comment. There have been few details about the update but here are the ones that have been discussed:
- No major changes to the Standard are envisaged as it is essential that full backwards compatibility is maintained.
- All management Standards are adopting a common structure and terminology. It is reasonable to assume that the Information Security Standards will follow this trend.
- The part that has raised some eyebrows across the world concerns the Statement of Applicability which may be dropped from the 2012 Standard. If this is the case then something will have to be put in its place, otherwise organisations would be able to claim conformity to ISO27001 without meeting all aspects of it. The Statement of Applicability has up to now detailed the extent that the organisation has achieved compliance. It could be that the level of compliance will have to be stated within the 'Scope' instead.
- Most of the Management Standards use the PDCA model (Plan-Do-Check-Act) as a tool to achieve continual improvement. It has been suggested that the PDCA should not be explicitly detailed in the updated ISMS Standards; a move that has not been universally welcomed.
It is always useful to keep up to date with developments and for that reason I have posted these details.