The final draft of the new security management standard, ISO 27001, has been released.
July 7, 2005 (Press Release) --
Significant changes to major standards are rare and infrequent, to say the least. Two such changes to closely related standards even more so. However, this scenario has recently occurred with respect to the information security standards.
Following hot on the heels of the publication of ISO 17799 2005, the final draft of ISO 27001 has now been produced.
WHAT IS ISO 27001?
ISO 27001 is the replacement for BS7799. This in turn is the 'sister publication' for ISO 17799. Whereas ISO 17799 is a 'code of practice', describing individual controls for potential implementation, BS7799 outlines the requirements for an Information Security Management System. In other words, it sets out a system for the management of information security, within which the controls described within ISO 17799 may be selected.
BS7799 is in fact the part of the standard set against which certification is granted. This mantle will be passed to ISO 27001 upon final publication.
The new (draft) version has incorporated a number of significant changes. It further 'harmonizes' the approach with other management standards, such as ISO 9001, and builds further upon the PDCA model (Plan-Do-Check-Act). However, the main driver in terms of timing seems to have been the urgent need for re-alignment with the new version of ISO 17799 (2005) as opposed to the old version (2000).
WHY A 'DRAFT' VERSION?
BS799 was submitted for 'fast track' to become an ISO standard some time ago. Even this process though is lengthy, requiring due process and consultation. It has now passed all the key voting stages, however, and final publication is expected later this year.
This of course presents something of a dilemma. BS7799 is not aligned properly with the current 2005 version of ISO 17799.
To address this, SNV (the Swiss national standards body) and BSI have offered a free upgrade to the final version, to those who purchase the draft version from their respective online shops (see below). This enables organizations to work with the final draft (known as the FDIS version), without having to re-purchase to obtain the copy with any i's dotted, and t's crossed.
WHY 27001?
Major topic based standards tend to be grouped together in terms of a series. Typical of this is the ISO 9000 series (quality management) and the ISO 14000 series (environmental management). 27000 has been earmarked for the information security management series.
The first publication within this series is of course 27001. However, it is envisaged that eventually ISO 17799 will be renumbered as ISO 27002. A new document, for security measurement and metrics, is being produced for potential publication as ISO 27004.
OFFICIAL SOURCES
SNV: The Swiss national standards body, SNV, offer ISO 27001 FDIS from the following site:
http://www.standards-online.net/InformationSecurityStandard.htm
BSI: Through the StandardsDirect outlet, BSI offer the draft standard from the following page:
http://www.standardsdirect.org/iso27001.htm
A special version of the ISO 17799 Toolkit, the standard's support and starter kit, which includes the new standard (draft), is available via both these sites.
Both the above versions are currently in English language only.
DISCUSS THESE DEVELOPMENTS
ISO 17799 and ISO 27001 can be openly discussed on the public forum provided by the International ISO 17799 User Group:
http://www.17799.com
There is a second public forum, via Yahoo, available from the following site:
http://www.27001-online.com
For further information see the ISO 17799 Newsletter archive site at: http://17799-news.the-hamster.com
Following hot on the heels of the publication of ISO 17799 2005, the final draft of ISO 27001 has now been produced.
WHAT IS ISO 27001?
ISO 27001 is the replacement for BS7799. This in turn is the 'sister publication' for ISO 17799. Whereas ISO 17799 is a 'code of practice', describing individual controls for potential implementation, BS7799 outlines the requirements for an Information Security Management System. In other words, it sets out a system for the management of information security, within which the controls described within ISO 17799 may be selected.
BS7799 is in fact the part of the standard set against which certification is granted. This mantle will be passed to ISO 27001 upon final publication.
The new (draft) version has incorporated a number of significant changes. It further 'harmonizes' the approach with other management standards, such as ISO 9001, and builds further upon the PDCA model (Plan-Do-Check-Act). However, the main driver in terms of timing seems to have been the urgent need for re-alignment with the new version of ISO 17799 (2005) as opposed to the old version (2000).
WHY A 'DRAFT' VERSION?
BS799 was submitted for 'fast track' to become an ISO standard some time ago. Even this process though is lengthy, requiring due process and consultation. It has now passed all the key voting stages, however, and final publication is expected later this year.
This of course presents something of a dilemma. BS7799 is not aligned properly with the current 2005 version of ISO 17799.
To address this, SNV (the Swiss national standards body) and BSI have offered a free upgrade to the final version, to those who purchase the draft version from their respective online shops (see below). This enables organizations to work with the final draft (known as the FDIS version), without having to re-purchase to obtain the copy with any i's dotted, and t's crossed.
WHY 27001?
Major topic based standards tend to be grouped together in terms of a series. Typical of this is the ISO 9000 series (quality management) and the ISO 14000 series (environmental management). 27000 has been earmarked for the information security management series.
The first publication within this series is of course 27001. However, it is envisaged that eventually ISO 17799 will be renumbered as ISO 27002. A new document, for security measurement and metrics, is being produced for potential publication as ISO 27004.
OFFICIAL SOURCES
SNV: The Swiss national standards body, SNV, offer ISO 27001 FDIS from the following site:
http://www.standards-online.net/InformationSecurityStandard.htm
BSI: Through the StandardsDirect outlet, BSI offer the draft standard from the following page:
http://www.standardsdirect.org/iso27001.htm
A special version of the ISO 17799 Toolkit, the standard's support and starter kit, which includes the new standard (draft), is available via both these sites.
Both the above versions are currently in English language only.
DISCUSS THESE DEVELOPMENTS
ISO 17799 and ISO 27001 can be openly discussed on the public forum provided by the International ISO 17799 User Group:
http://www.17799.com
There is a second public forum, via Yahoo, available from the following site:
http://www.27001-online.com
For further information see the ISO 17799 Newsletter archive site at: http://17799-news.the-hamster.com
Email
Print
Download
SPAM
LEAVE A COMMENT
