Background and Overview of ISO 17799/27001(27001)
However, it took until the second half of the 1990’s for this process to really take shape.
ISO 17799 is often used as a generic term to describe what actually is two different documents they are: ISO17799 (aka ISO 27002), which is a set of security controls (a code of practice), and ISO 27001 (formerly BS7799-2), which is a standard ‘specification’ for an Information Security Management System (an ISMS).
The original BS 7799 had two parts. BS 7799 Part1 – Code of practice for informationsecurity management – established the overall requirements for an information securityprogram by breaking security into ten separate topic domains.
BS 7799-1 was eventually adopted as the first international standard for information Security.
ISO 17799:2000. BS 7799 Part 2, entitled Information security management systems — Specification with guidance for use, was designed to allow an organization tobecome certified that it was following the techniques defined in Part 1 of the standard.
Within Great Britain and around Europe hundreds of organizations became certifiedagainst BS7799. Up until last year, if an organization wished to become “certified” itcould only be done against the British Standard BS7799.
In 2005, the International Organization for Standardization (ISO) took two important steps relating to information security. First, it updated ISO 17799:2000 and called it ISO17799:2005”) Second, it adopted the part 2 of BS7799 and released it as ISO/IEC 27001:
Information technology — Security techniques— Information security management systems — Requirements.. For the first time, organizations can get certified against the ISO 17799:2005 standard.
By definition, ISO 17799:2005 and ISO 27001 are designed to be used by any organization in any industry. However, many smaller organizations may have troublemeeting some of the requirements of ISMS due to limited manpower and resources.
Basically, ISO 27001 sets out the requirements for how an organization can implement the security requirements of ISO 17799:2005. According to ISO 27001
“This International Standard has been prepared to provide a model for establishing,implementing, operating, monitoring, reviewing, maintaining and improving ,an Information Security Management System (ISMS).” According to the Standard, an ISMS is defined as
“The management system includes organizational structure, policies, planningactivities, responsibilities, practices, procedures, processes and resources.”
In other words, the ISMS encompasses your entire information security program,including its relation to other parts of the organization.
While ISO 27001 does not provide a complete prescription for a proper information security program it does list the various organizational ,functions required for certification.
- ISO 27001 vs. ISO 27002 (iso27001standard.com)
- ISO 27001 Benefits (slideshare.net)
- Four key benefits of ISO 27001 implementation (iso27001standard.com)