ISO 27001ISO 17799BS 7799

ISO 27001/ISO 17799/BS 7799

Since its inception in 1947, the International Organization for Standardization (ISO) has created a number of standards for network security management, software development, and quality control, in addition to a number of other standards for various business and government functions.

The series of identifiers in this section's heading refer to what are, essentially, the same core set of standards dealing with several aspects of information security practices, information security management, and information security risk management.

The precursor to BS 7799 was first promulgated as an information security standard in 1993 by the U.K. governments' Department of Trade and Industry. Two years after the information security standard was published by the Department of Trade and Industry, it became formalized into the British Standard 7799. Subsequent to that initial publication, BS 7799 has gone through three distinct iterations as the British Standard 7799, adding information security management standards and the most recent version (2005), which added guidelines for information security risk management.

In December 2000 the BS 7799 morphed into ISO Standard 17799. Participation from the international standards community updated the original British standard but the core of the BS 7799 remained largely intact despite the fact that BS 7799 itself has been discontinued.

Continuing the thread, ISO 27001 was published in October of 2005. This standard dealt largely with the topic of BS 7799-2, that is, management of information security systems. This ISO standard was created to provide guidelines for effective information management systems. One of the underlying principles in this incarnation of the information security standard is use of the Organization for Economic Cooperation and Development (OECD) principles governing security of information and network systems. ISO 27001 is the first in a series of information security management and practices standards. This series of standards (27001) was created to "harmonize" with other widely recognized international operations standards, namely, ISO 9001 (quality management) and ISO 14001 (environmental management).

Confusing as the standards names are, adoption and compliance can be equally challenging. Some organizations use one or more versions of the standards as implementation frameworks to guide development of internal information security practices, procedures, and controls. Compliance with certain of the standards may be "certified" by being audited by a qualified "assessor" working for a "certification body" duly recognized by the local (country-specific) "certifying authority."

Fully adopting these standards is not a trivial undertaking and should be done with a significant amount of preplanning and analysis. Consulting, training, and products supporting various aspects of these standards are widely available.

Despite the evolving names and scope, this series of standards has become one of the most recognized and internationally accepted sets of information security practices, frameworks, and guidelines available.

ISO 17799 Concepts

Also referred to as the Code of Practice for Information Security Management, ISO 17799:2005 addresses 11 major areas within the information security discipline. The standard outlines 133 security controls in the following 11 areas:

• Security policy

• Organization of information security

• Asset management

• Human resources security

• Physical and environmental security

• Communications and operations management

• Access control

• Information systems acquisition, development, and maintenance

• Information security incident management

• Business continuity management

• Compliance