ISO/IEC 27000:2016 is FREE at last!

5088 views
Skip to first unread message

Gary Hinson

unread,
Jul 14, 2016, 6:57:15 PM7/14/16
to iso27001...@googlegroups.com

http://blog.noticebored.com/2016/07/isoiec-270002016-available-for-free.html

 

Someone kindly sent me the download links to the ITTF website.  I’m not entirely sure why it took so long to publish the free version but the cynic in me suspects someone might have been trying to maximize their income from the paid version.

 

Anyway, we got there in the end.

 

Kind regards,

Gary

 

________________________________________________

Dr Gary Hinson PhD MBA CISSP

CEO of IsecT Ltd., New Zealand  www.isect.com 

Passionate about information risk and security awareness, standards and metrics

www.NoticeBored.com  www.ISO27001security.com  www.SecurityMetametrics.com

 

VimalAthithan Subramanian

unread,
Jul 15, 2016, 3:17:29 PM7/15/16
to iso27001...@googlegroups.com
Thanks Gary for the link.

--
You received this message because you are subscribed to the ISO27k Forum.
To post a message to ISO27k Forum, send an email to iso27001...@googlegroups.com or online through groups.google.com
For more information about ISO27k, visit www.iso27001security.com
Please respect the Forum's rules at www.iso27001security.com/html/forum.html#TipsAndEtiquette
---
You received this message because you are subscribed to the Google Groups "ISO 27001 security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iso27001securi...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
With Regards,
Vimal PhD
************************************************************************************************************************

“Life is to be enjoyed, not endured.”
―Gordon B. Hinckley

*************************************************************************************************************************

Dave Anders

unread,
Jul 15, 2016, 3:28:55 PM7/15/16
to iso27001...@googlegroups.com
Hi Gary,

Can you explain this free download vs buying the standard from the ISO.org website and receiving a watermark on each page as a proof of purchase / license agreement.


Dave

--
You received this message because you are subscribed to the ISO27k Forum.
To post a message to ISO27k Forum, send an email to iso27001...@googlegroups.com or online through groups.google.com
For more information about ISO27k, visit www.iso27001security.com
Please respect the Forum's rules at www.iso27001security.com/html/forum.html#TipsAndEtiquette
---
You received this message because you are subscribed to the Google Groups "ISO 27001 security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iso27001securi...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Regards
Dave Anders

Managing Partner / Business Development
SecuraStar, LLC. / ISO Manager Software
ISO 27001 Training, Consulting, Audits, Software
855-476-2701  Toll Free
djan...@SecuraStar.com

Gary Hinson

unread,
Jul 15, 2016, 4:19:31 PM7/15/16
to iso27001...@googlegroups.com

Hi Dave.

 

ISO/IEC will happily sell you a license for the 27000 standard, including a multi-user license if you need that, or provide printed copies … but they also make it available for free in both English and French as a single-user single-print PDF through the ITTF website at http://standards.iso.org/ittf/PubliclyAvailableStandards/c066435_ISO_IEC_27000_2016(E).zip.  The copyright notice on that ITTF download page states (in part):

 

The document is a single-user, non-revisable Adobe Acrobat® PDF file. You are downloading a single-user licence to store this file on your personal computer. Under no circumstances may the electronic file you are licensing be copied, transferred, or placed on a network of any sort without the authorization of the copyright owner.

You may print out and retain one-only printed copy of the PDF file.

This printed copy is fully protected by national and international copyright laws, and may not be photocopied or reproduced in any form. Under no circumstances may it be resold.

 

It was pressure from ISO/IEC JTC 1/SC 27 that led to the standard being released for free.  We argued that it is important for everyone who uses the ISO27k standards to be ‘singing from the same hymn sheet’: the glossary of terms is necessary to make sense of the remaining ISO27k standards.  The standard also provides an overview of the ISO27k suite, hence if you are not sure which standards you might need to buy, 27000 will give you some hints.  [Mind you, there’s a lot more info at www.ISO27001security.com and elsewhere.]

 

In accordance with the license conditions above, we are forbidden from simply making the PDF available to download directly from our website I’m afraid … but everyone can visit the ITTF page, read and click to accept the license, then download a single-user PDF for themselves.

 

By the way, ISO/IEC 27036-1:2014 is also available for free as a single-user PDF from http://standards.iso.org/ittf/PubliclyAvailableStandards/c059648_ISO_IEC_27036-1_2014.zip

 

If ALL the ISO27k standards were freely available (like the NIST SP800 series), I’m sure we would see a marked increase in the adoption of the standards globally, leading to better management of information risks and stronger security controls, but (in its infinite wisdom) ISO/IEC chooses to charge for most of them.  I guess it helps fund the beurocracy.

 

Kind regards,

Gary

 

________________________________________________

Dr Gary Hinson PhD MBA CISSP

CEO of IsecT Ltd., New Zealand  www.isect.com 

Passionate about information risk and security awareness, standards and metrics

www.NoticeBored.com  www.ISO27001security.com  www.SecurityMetametrics.com

 

Dave Anders

unread,
Jul 15, 2016, 5:04:27 PM7/15/16
to iso27001...@googlegroups.com
Gary,

Much thanks for the clarification for the group.  Great information for all the single users.

Dave

Anton Aylward CISSP, CISA

unread,
Jul 26, 2016, 8:53:00 AM7/26/16
to iso27001...@googlegroups.com
On 07/15/2016 04:19 PM, Gary Hinson wrote:
> If ALL the ISO27k standards were freely available (like the NIST SP800
> series), I’m sure we would see a marked increase in the adoption of the
> standards globally, leading to better management of information risks
> and stronger security controls, but (in its infinite wisdom) ISO/IEC
> chooses to charge for most of them. I guess it helps fund the beurocracy.

Its a yes-no-maybe, in my opinion :-)

certainly the freely available Internet RFCs initially aided the
adoption of those standards, somewhat, but then do did the free
distributions of source code since it was developed using public funds.

Again, maybe.
or not as the case may be.

I recall at the end of the 1980s attending Interop in San Francisco.
There were 'interoperability bake-offs' between vendors to aid the
convergence of standards. Heap good marketing!

But <strike>those arrogant snots at</strike> Cisco did not attend.

Later that my business needed to connect to one of the big Telcos, and
they, being blue chip, ran Cisco, while my firm, being brought up on BSD
and the like, ran Telebit, one of the core of the of the
Interoperability pack (and who were later bought up by Cisco for their
compression technology which Cisco then discarded without ceremony)

There's an axiom in internetworking known as the Robustness Principle
that comes from Jon Postel via RFC 791[1]

Be liberal in what you accept, and conservative in what you send.

Jon also said

The Internet works because a lot of people cooperate to
do things together.

As it was, if our link to the telco went down their Cisco router refused
initiation requests from our Telebit router, but our telebit happily
accepted initiation requests from the Cisco. Telco support grew tired
of us, as if it were our fault that the Cisco was non compliant. But
such was the marketing power of Cisco that the telco specified Cisco as
a requirement on all future associations; we were grandfathered.

So much for standards.

In another forum, there is a polarization between an 'open standards'
cortège on the one hand, the people who support the use of open
standard/open sourced tools such as MozillaThunderbird, MozillaFirefox
Lightening, Google Calendar, WebDAV, openCloud and the like, and on the
other the " impenetrable fortress of Exchange 2010" that so many
corporate entities deploy. That, along with so many other email systems
that operate in defiance of RFC822 and its revisions, RFC2581, RFC4918,
and ... need I go on?

So much for standards.

Which brings us to the NIST SP800 series that Gary mentioned.

These are the product of a government body in the USA. They are, by RFC
and/or ISO/IEC standards, wordy and chatty, but perhaps that makes them
more comprehensible.

They have been mandated for most Federal government agencies in the USA.
Perhaps that is why such agencies, to say nothing of the USA in
general, are slow to adopt things like ISO27K. Or perhaps not, since
most of those agencies haven't even adopted, even nominally, never mind
started to comply with those requirements.

One of the standard excises is that many of their systems are too
archaic, but having been though many SOX audits and worked on SOX
compliance of 'archaic' systems I can tell you that is <deleted>.

So much for standards.

That, as Gary points out, a couple of the ISO27K publications are free
for since use does mean that individuals can review them before advising
their clients and organizations to adopt ISO27K in general.

But compare this to, for example, ISACA COBIT, of which the document and
much of the supporting documentation is free, and they only charge for
training and specialized application documents.

Some of us Greybeards are old enough to remember when the IBM PC first
came out. There had been many PCs before it, but what made the IBM one
different was that IBM published, openly, all the details on it. Yes,
this resulted in a rash of lawsuits, but in the longer run it a;;owed an
industry to grow up, hardware and software, simply because it was fully
open.

There's a lesson there but many organizations don't seem to appreciated it.







[1] http://www.ietf.org/rfc/rfc0791.txt
https://en.wikipedia.org/wiki/Robustness_principle
--
Any philosophy that can be put in a nutshell belongs there.
-- Sydney J. Harris
Reply all
Reply to author
Forward
0 new messages