ISO Evolves

The long-standing 17799 best practices set is headed for an update dubbed 27001-27002; additional standards are on the horizon

February 01, 2006 — ISO 17799, the international standard Code of Practice for Information Security Management, has its roots in two standards developed and published by the British Standards Institution: BS7799-1:1999 ("Part 1"), and BS7799-2:1999 ("Part 2"). Part 1 is concerned with general principles of information security management, while Part 2 contains specifications and guidance for use. First published in 2000, ISO 17799 was updated in June 2005, while the original BS7799-2 was revised and reissued in September 2002.

Although not quite in lockstep with ISO 17799, the root British standards continue to point the road ahead for it, thanks to close cooperation between the relevant technical committees. According to Jimmy Heschl, information risk manager with KPMG in Vienna, Austria—who follows the work closely—the road map looks something like this.

ISO 27001 is the number given to a revision of the current BS7799-2 standard. In essence, this is the requirements document for an information security management system, he explains. (As with all ISO standards, the full document can be purchased at www.iso.org.)

ISO 27002 is earmarked for the present ISO 17799 itself—possibly with a revision, according to Heschl. ISO 17799 will simply become ISO 27002. "The change is not imminent," is Heschl's best guess at the timescale. While ISO 27003 is the number set aside for a new standard on information risk management, ISO 27004 will be assigned to a standard on information security management and metrics—in other words, "how, what and when to measure infosec processes and controls," as Heschl puts it. Publication won't be sooner than 2007.

Finally, ISO 27005 should provide guidance on implementation. Heschl explains that British standard BS7799-3 does address implementation issues; it is expected that BS7799-3 will evolve into ISO 27005.