Wednesday, July 06, 2005

ISO 17799 News: Final Draft of ISO 27001 Published

ISO 17799 NEWSLETTER: SPECIAL EDITION

Significant changes to major standards are rare and infrequent, to say the least. Two such changes to closely related standards even more so. However, this scenario has recently occurred with respect to the information security standards. Hence we find ourselves issuing a second special edition of the ISO 17799 newsletter, within three weeks, for which we apologise.

Following hot on the heels of the publication of ISO 17799 2005, the final draft of ISO 27001 has now been produced.

WHAT IS ISO 27001?

ISO 27001 is the replacement for BS7799. This in turn is the 'sister publication' for ISO 17799. Whereas ISO 17799 is a 'code of practice', describing individual controls for potential implementation, BS7799 outlines the requirements for an Information Security Management System. In other words, it sets out a system for the management of information security, within which the controls described within ISO 17799 may be selected.

BS7799 is in fact the part of the standard set against which certification is granted. This mantle will be passed to ISO 27001 upon final publication.

The new (draft) version has incorporated a number of significant changes. It further 'harmonizes' the approach with other management standards, such as ISO 9001, and builds further upon the PDCA model (Plan-Do-Check-Act). However, the main driver in terms of timing seems to have been the urgent need for re-alignment with the new version of ISO 17799 (2005) as opposed to the old version (2000).

WHY A 'DRAFT' VERSION?

BS799 was submitted for 'fast track' to become an ISO standard some time ago. Even this process though is lengthy, requiring due process and consultation. It has now passed all the key voting stages, however, and final publication is expected later this year.

This of course presents something of a dilemma. BS7799 is not aligned properly with the current 2005 version of ISO 17799.

To address this, SNV (the Swiss national standards body) and BSI have offered a free upgrade to the final version, to those who purchase the draft version from their respective online shops (see below). This enables organizations to work with the final draft (known as the FDIS version), without having to re-purchase to obtain the copy with any i's dotted, and t's crossed.

WHY 27001?
Major topic based standards tend to be grouped together in terms of a series. Typical of this is the ISO 9000 series (quality management) and the ISO 14000 series (environmental management). 27000 has been earmarked for the information security management series.

The first publication within this series is of course 27001. However, it is envisaged that eventually ISO 17799 will be renumbered as ISO 27002. A new document, for security measurement and metrics, is being produced for potential publication as ISO 27004.

OFFICIAL SOURCES

SNV: The Swiss national standards body, SNV, offer ISO 27001 FDIS from the following site:
http://www.standards-online.net/InformationSecurityStandard.htm

BSI: Through the StandardsDirect outlet, BSI offer the draft standard from the following page:
http://www.standardsdirect.org/iso27001.htm

A special version of the ISO 17799 Toolkit, the standard's support and starter kit, which includes the new standard (draft), is available via both these sites.

Both the above versions are currently in English language only.

DISCUSS THESE DEVELOPMENTS

ISO 17799 and ISO 27001 can be openly discussed on the public forum provided by the International ISO 17799 User Group:
http://www.17799.com

There is a second public forum, via Yahoo, available from the following site:
http://www.27001-online.com

For further information see the ISO 17799 Newsletter archive site at: http://17799-news.the-hamster.com

ISO17799 NEWSLETTER REMINDER
============================
Subscription to the ISO17799 Newsletter is free (although strictly 'opt-in' only) via the above website. Please do feel free to pass this copy on to your friends and colleagues. If you do not wish to receive further copies, simply email us at the address below with a title of 'Unsubscribe'. Email address: newsletter@17799news.com.

No comments:

Post a Comment