CHAPTER 2: BACKGROUND TO THE STANDARDS

The very first formal information security Standard, BS7799, was originally issued in the UK in April 1999 as a two-part standard. An earlier code of practice had been substantially revised and became Part 1 of the new Standard (BS7799-1:1999) and a new Part 2 (BS7799-2:1999) was drafted and added.

The link between the two standards was created at this point:

•  Part 1 was a code of practice

•  Part 2 was a specification for an ISMS that deployed controls selected from the code of practice.

The original Part 2 specified, in the main body of the Standard, the same set of controls that were described in far greater detail (particularly with regard to implementation) in Part 1. These controls were later removed from the main body of Part 2 and listed in an annex, Annex A.

This relationship continues today, between the specification for the ISMS that is contained in one standard, and the detailed guidance on the information security controls that should be considered in developing and implementing the ISMS which are contained in the other part of the combined standard.

The International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC)¹ then collaborated to adopt and internationalise BS7799-1 as ISO/IEC 17799:2000 in December 2000. ISO17799 was widely used around the world to provide guidance on best-practice information security controls.

ISO 17799 was substantially revised, improved and updated five years later (in 2005) and it was also renumbered into the ISO27000 series.

BS7799-2

BS7799-2:1999 was revised and reissued as BS7799-2:2002. Significant changes occurred at this time, including:

•  the alignment of the clause numbering in both parts of the Standard

•  the addition of the PDCA model (see Chapter 15) to the Standard

•  the addition of a requirement to continuously improve the ISMS

•  the alignment of the Standard, and its detailed clauses, with ISO9001:2000 and ISO14001:1996, to facilitate the development of integrated management systems.

ISO27001:2005

Although a number of countries adopted BS7799-2, it was still only a British Standard in June 2005, when ISO/IEC 17799:2005 was to be issued. The decision was taken, at that time, to put BS7799-2 on the ‘fast track’ to internationalisation and FDIS (Final Draft International Standard) was issued in June 2005. BS7799-2:2005 (ISO/IEC 27001:2005) was finally published in October 2005.

ISO27001:2013

Following an extended consultation with member organisations of the ISO/IEC, the latest edition of ISO27001 was released in October 2013. It shifted the focus towards creating an ISMS that complements the organisation and its processes, and reduced redundancy within the specification and controls.

Correspondence between ISO27001 and ISO27002

Annex A to ISO/IEC 27001:2013 lists the 114 controls that are in ISO/IEC 27002:2013, follows the same numbering system and uses the same words for the controls and control objectives.

The preface to the Annex states: ‘The control objectives and controls [referred to in this edition] are directly derived from and aligned with those listed in ISO/IEC 27002:2013.’ ISO/IEC 27001 requires that the organisation ‘determine all controls that are necessary to implement the information security risk treatment option(s) chosen’².

ISO27002 also provides substantial implementation guidance on how individual controls should be approached. Anyone implementing an ISO27001 ISMS will need to acquire and study copies of both ISO27001 and ISO27002.

While ISO27001 in effect mandates the use of ISO27002 as a source of guidance on controls, control selection and control implementation, it does not limit the organisation’s choice of controls. The specification states: ‘The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.’³

Use of the Standards

Both standards recognise that information security cannot be achieved through technological means alone, and should never be implemented in a way that is either out of line with the organisation’s approach to risk or undermines or creates difficulties for its business operations.

Effective information security is defined in ISO27000 as the ‘preservation of confidentiality, integrity and availability of information’.

¹ The IEC is ‘the leading global organisation that prepares and publishes international standards for all electrical, electronic and related technologies’. Its website is at www.iec.ch. The ISO and the IEC work together, within the World Trade Organisation (WTO) framework, to provide technical support for the growth of global markets and to ensure that technical regulations, voluntary standards and conformity assessment procedures do not create unnecessary obstacles to trade. The joint ISO/IEC information centre has a website at www.standardsinfo.net.

²ISO/IEC 27001:2013, 6.1.3 Information security risk treatment.

³ Ibid.