tag:blogger.com,1999:blog-4338771713512166935.post-18595536138793104222007-07-04T07:21:00.002-07:002007-07-04T07:25:47.423-07:00The answer is: we don't know! So why ask the question? Because it probes the relationship between different aspects of risk assessment, and different sets of standards.<br /><br />We tripped upon two holding sites: one for <a href="http://www.31000.net/">ISO 31000</a> and one for <a href="http://www.bs31100.info/">BS31100</a>. Scratching the surface with both <a href="http://www.iso.ch/">ISO</a> and <a href="http://www.bsi-global.com/">BSI</a> didn't reveal too much extra. However, it does appear that these BOTH address risk management at a corporate/organizational level. Security risk assessment is part of this, but only part of it.<br /><br />Why 31000 and 31100? Clearly this similarity indicates SOME relationship and forethought, but at this stage we could not determine specifically what this was. It does appear that BS31100 is much closer to fruition than ISO31000, but how they are related will be interesting to determine, as will the scope for BS31100 to become ISO 31100 or perhaps ISO 31001.<br /><br />The precise relationship between these and BS7799-3, and/or ISO27005, will also be interesting to see. There will surely be cross reference between these, as there are logical relationships between them. How much further that goes remains to be seen.<br /><br />This does illustrate however that it isn't just the ISO2700 series which is 'shrouded in mystery', but others too. For those of us who thrive on clarity, it is a bit of a nightmare!ISO 27001 Reporterhttp://www.blogger.com/profile/16162902248001116670noreply@blogger.com