ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


ISO 27000 series – What to expect in 2013?

'By 'Dejan Kosutic on January 15, 2013

Believe it or not, there are more than 30 standards in the ISO 27k series. And, to make things worse, they are constantly changing because information security theory and best practice are continuously evolving.

Here’s what will probably happen in 2013:

ISO/IEC 27001 – Since this is the main standard in the ISO27k series, its revision is expected with high excitement. It was published in what is, for this area, a very distant 2005, so the changes are certainly not going to be minor. The largest change (besides the controls from Annex A – for those see ISO 27002 below) will be in the structure of the standard – according to ISO directives Annex SL (previously called Draft Guide 83), the structure of every management standard will have to be aligned, so the same destiny is intended for the new revision of ISO 27001 as well. Such changes are best visible in ISO 22301, the new business continuity standard, which was the first one to be compliant with Guide 83 – click here to see the structure of ISO 22301.

The date for publishing of ISO 27001 hasn’t been set yet, but it could be somewhere in second half of 2013.

ISO/IEC 27002 – The revision of this standard will be published together with ISO 27001 because, as you probably know, it gives guidelines for implementation of controls from ISO 27001 Annex A – therefore, these two standards need to be aligned completely. See here what is expected to change: ISO 27002 – What will the next revision bring?

ISO/IEC 27004 – This is the standard that defines information security metrics; in other words – how to measure information security in an organization. It was initially published in 2009, and it will be in the revision process during 2013. It is, however, not likely that new revision will be published in 2013.

ISO/IEC 27006 – This standard defines the requirements for certification bodies that provide the auditing services. Since other auditing standards (ISO 19011 and ISO/IEC 17021) are currently being revised, it is expected that the revised version of ISO 27006 will be published in 2013 or 2014.

ISO/IEC 27011 is the standard that provides guidelines for information security management in telecoms – since it relies heavily on ISO 27002, it will be revised once the new version of ISO 27002 is published. It may happen in 2013, but more likely in 2014.

ISO/IEC 27014 defines the governance of information security; since this standard is – at the time of writing this article – in FDIS status, it is expected to be published in the first half of 2013.

ISO/IEC TR 27016 is the standard that defines organizational economics for information security management. Since this standard is still in the draft version, it is theoretically possible that it will be published in 2013; however, 2014 is much more realistic as a publishing year.

ISO/IEC 27017 is the standard that will define a very hot area: security in cloud computing. Since it will depend heavily on revised ISO 27001 and ISO 27002, at best it will be published at the end of 2013 or the first half of 2014.

ISO/IEC 27018 is the standard that will provide code of practice for data protection controls for public cloud computing services – similar to ISO 27017, this standard will wait until ISO 27002 is published. Let’s hope we’ll see it in 2013, or some time shortly after that.

ISO/IEC TR 27019 is the standard that focuses on information security management guidelines for the energy industry. Since it is based on ISO 27002, it is not expected to be published until the end of 2013 or in 2014.

ISO/IEC 27033-5 is still in the draft phase, and defines how to use secure communications using Virtual Private Network (VPNs). Its publication is expected near the end of 2013.

ISO/IEC 27036 is still in the draft phase, too, and it specifies how to regulate information security in supplier relationships. This standard will be published in four or five parts, three of which could be published during 2013 or early 2014.

ISO/IEC 27040 defines another very interesting area: storage security.  It is scheduled to be published in 2013, but may be pushed to 2014.

As you can see, many standards are to be published soon, or at least are going to be revised. Who says information security is a boring business?

  • Игорь Луканин

    Very good review, thanks. By the way, isn’t ISO 27799 (of 2008) considered ISO 27k standard since it’s omitted in the article? Is it going to be revised?

  • Dejan Kosutic

    Yes, ISO 27799 is considered to be a part of ISO 27k series – however, it probably won’t be revised in 2013 so this is why I didn’t mention it in this article.

  • Олег Марков

    Europe has been flooded by liberalization. It’s common trend…)) Thanks for review.

    Кстати, Игорю Луканину привет!

  • zilani

    This scope is possible for ISMS certification? “IT Enabled Services Highlighting Software Development & Quality Assurance, Business Process Outsourcing and Comprehensive Data Analysis”. ?

  • iso27001certifications

    This is a great article on the topic of the benefits of ISO 27001 certification.

  • Norman Aguilar

    With the revision of the ISO27001 standard with regards to Risk Assessment, do you think that ISO 27005 will be revised as well?

  • Dejan Kosutic

    ISO 27005 was revised for in 2011 in order to become compliant with ISO 31000, so yes – I think ISO 27005 will be revised again because of new requirements for risk assessment in ISO 27001:2013.

  • Majalah Checklist

    Thank you Dejan, we follow the actual information from your blog. We hope that ISO 27001 is better known in our country.