Originally published in October 2005, ISO/IEC 27001 has – in some areas – become slighly outdated. It needs updating – but not as much as does the list of candidate security controls which are contained in Annex A of that standard and about which implementation guidance is provided in ISO/IEC 27002:2005.
Drafts revisions of both standards have recently been published by ISO/IEC – you can purchase copies of both draft international standards (DIS) from our website, and also read our current review and guidance on the contents of those drafts – there are also links there that will enable you to comment on the content of each draft. Once the new standard is finalised and published – which could be sometime in the next 12 months – there will be a transition period, usually of 12 to 18 months, during which organisations can move from the old version of the standard to the new one.
Our key guidance, which I’m repeating here, is: the business and compliance benefits of proceeding with an ISO27001 certification are unchanged by the possibility of future changes to the standard itself. So, if ISO27001 certification makes business or compliance sense right now, you should ‘keep calm and carry on’. There are considerable benefits in completing your management system project against the existing version of the standard, and then managing an ordered and controlled transition, later on, to the new version of the standard, once all the inevitable interpretation and implementation issues have been ironed out.