[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG]Re: Second-hand ISO standards

To: list@xxxxxxxxxxxxx
Subject: [LUG]Re: Second-hand ISO standards
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Sun, 05 Jan 2025 06:07:16 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1728723962; h=Content-Transfer-Encoding:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Help:List-Id:Subject:Reply-To: Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From: Sender:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Archive; bh=q+8qpOA1DSIiVoAHisz+rG9AHrkXywFzs1zwYQHl8/M=; b=GKDM18tViMJW/FwwU71yPKn6P0 T7QYnfSYmKhrvmhMCS/V2CA97nngMX3Zk8VluCFDkMlcKhp2GGKYmSOAK/Dejed5+lX9ThR+WoDKv 5PUSNaQXKLSoPZWH91T4+wciM5rHiudtMnLRtHq0huIfQgzf8f7/YmSVAwrGM1hLin9w=;

On Sunday, 17 November 2024 10:48:22 GMT Brad Rogers wrote:
> On Sun, 17 Nov 2024 09:17:33 +0000
> Simon Waters <simon@xxxxxxxxxxxxxx> wrote:
> 
> Hello Simon,
> 
> >As the ISO 27000 series is largely funded by selling the standards I
> >doubt they are legally available free for download.
> 
> It's free from their site;
> 
> https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
> 
> There's no mention of 9000, however.
> 
> AIUI, 27000:2018 is the latest version, and that's what you'll get from
> the link above.

The free one (27000) is literally the overview document, basically a list of 
what other documents are available for the standard, those other separate 
standard documents are charged for, you typically need 27001, 27002, 27018 
(Privacy), and then other documents for cloud, web hosting, healthcare, power 
industry depending what you are doing. 29100 is free too. 

Many places don't need 27018 specifically but you will have to be GDPR 
compliant, and in large organisations the board aren't going to (shouldn't, or 
are legally obliged to have specific privacy processes - ala Caldicott 
Guardians) accept casual assurances from staff given the size of the potential 
fines, so some processes will want to be in place and checked on. 

Once you've been through a few audits you mostly just refer back to 27001 when 
planning out audits, or reviewing how the process worked, but in theory you 
build a security process that watches itself, and already has all applicable 
security controls and processes from the standard (and other legal or business 
obligations) covered, and fits your business, the internal audits are about 
ensuring completeness and working of that process, the external audits are 
about ensuring it is still working.

But businesses (and standards) change, for example there are standard aspects 
that relate to property the business operates from, and one company I worked 
for was effectively fully remote, and we could ignore some elements, and then 
it wasn't and we couldn't ignore them any more, and so we referred back to 
27001 to make sure aspects we had deemed excluded were either included, or 
still justified not to comply with.

The standard is a management standard, the controls for premises will include 
something similar to "routine inspection of all entrance ways to the 
premises", this obviously going to be very different priority and 
implementation for police record systems, the National Library, or a software 
development company doing open source software. So the implementation will 
literally be ensuring there is a suitable process(es) and a table linking from 
that control to the process(es) with commentary on why/home this is suitable.

-- 
The Mailing List for the Devon & Cornwall LUG
FAQ: https://www.dcglug.org.uk/faq/

Next by Date: [LUG]Re: 10" 4u server rack
Next by thread: [LUG]Re: 10" 4u server rack
Index(es):
- Date
- Thread