ISO 17799 Background

Background and Overview of ISO 17799/27001(27001)

Sound information security is the cornerstone of sensible corporate governance. The emergence of an international standard to support this was perhaps, inevitable.

However, it took until the second half of the 1990’s for this process to really take shape.

ISO 17799 is often used as a generic term to describe what actually is two different documents they are: ISO17799 (aka ISO 27002), which is a set of security controls (a code of practice), and ISO 27001 (formerly BS7799-2), which is a standard ‘specification’ for an Information Security Management System (an ISMS).

Before the international information security standard known as ISO 17799, there was the preceding British Standard BS7799, published by the British Standards Institute (BSI).

The original BS 7799 had two parts. BS 7799 Part1 – Code of practice for informationsecurity management – established the overall requirements for an information securityprogram by breaking security into ten separate topic domains.           

BS 7799-1 was eventually adopted as the first international standard for information Security.

ISO 17799:2000. BS 7799 Part 2, entitled Information security management systems — Specification with guidance for use, was designed to allow an organization tobecome certified that it was following the techniques defined in Part 1 of the standard.        

Within Great Britain and around Europe hundreds of organizations became certifiedagainst BS7799. Up until last year, if an organization wished to become “certified” itcould only be done against the British Standard BS7799.

In 2005, the International Organization for Standardization (ISO) took two important steps relating to information security. First, it updated ISO 17799:2000 and called it ISO17799:2005”) Second, it adopted the part 2 of BS7799 and released it as ISO/IEC 27001:

Information technology — Security techniques— Information security management systems — Requirements.. For the first time, organizations can get certified against the ISO 17799:2005 standard.

By definition, ISO 17799:2005 and ISO 27001 are designed to be used by any organization in any industry. However, many smaller organizations may have troublemeeting some of the requirements of ISMS due to limited manpower and resources.

Basically, ISO 27001 sets out the requirements for how an organization can implement the security requirements of ISO 17799:2005. According to ISO 27001

“This International Standard has been prepared to provide a model for establishing,implementing, operating, monitoring, reviewing, maintaining and improving ,an Information Security Management System (ISMS).” According to the Standard, an ISMS is defined as

 “The management system includes organizational structure, policies, planningactivities, responsibilities, practices, procedures, processes and resources.”

In other words, the ISMS encompasses your entire information security program,including its relation to other parts of the organization.

While ISO 27001 does not provide a complete prescription for a proper information security program it does list the various organizational  ,functions required for certification.


About martin smith

A degree in Engineering Management ,who is just trying to make life a bit easier, for anyone who wishes to read these articles. View all posts by martin smith

One response to “ISO 17799 Background

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: