written 5.1 years ago by |
The ISO 27000 series of standards have been specifically reserved by ISO for InfoSec matters. This, of course, aligns with a number of other topics, including ISO 9000 (quality management) and
- Industry working group formed -1993
- Code of practice -1993
- British Standard -1995
- BS 7799 Part 2-1998
- BS 7799 Part 1 and Part 2 revised 1999
- BS ISO/IEC 17799 (BS 7799-1 : 2000)
- BS 7799-2 : 2002 published September 5,2002
- ISO 17799 : 2005
- ISO 27001 : 2005
The ISO 27001 standard was published in October 2005, essentially replacing the old BS 7799-2 standard (see Figure 1). 1S0- 27001 is the specification for an Information Security Management System. BS 7799 itself was a lon standing standard, first published in the 1990s as a code of practice. As it matured, a second part emerged to cover management systems, on the basis, of which certification is granted, that is, it is an auditable standard. Today, more than 1,000 BS 7799 certificates are in place, across the world. ISO 27001 enhanced the content of BS 7799-2 (i.e., Part II of the BS 7799) and harmonized it with the other standards. A scheme has been introduced by various certification bodies for conversion from BS 7799 certification to ISO 27001 certification.
The ISO 27002 standard is expected to be the rename of the existing 1S0 17799 standard. However, as a new version of ISO 17799 has only recently hit the presses, this is not likely to be enacted for a considerable period (years, not months). The ISO 17799 itself is a code of practice for InfoSec. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the ISMS guidance provided within ISO 27001. It was originally a document published by the UK government, but became a standard “proper’ in 1995 when it was re-published by British Standards Institute (BSI) as BS 7799. In 2000 it was again republished, this time by ISO, as ISO 17799.
As at the time of writing this, the ISO/IEC 27004 is proposed: information technology security (ITS) techniques and ISM measurements. ISO 27004 will be a new ISO standard on ISM measurements. The standard is currently a working draft, being circulated for study and comment.As per information available at the time of writing this, if things go as per plan, it will soon be published. Publication is due sometime in 2008. The standard is expected to help organizations measure and report the effectiveness of their ISMSs, covering both the security management processes (defined in ISO 27001) and the controls (ISO 17799/ ISO 27002).
The scope of the ISO 27004 standard is to "provide guidance on the specification and use of measurement techniques for providing assurance as regards the effectiveness of information security management systems. It is intended to be applicable to a wide range of organizations with a correspondingly wide range of information security management systems. It provides guidance for measurement procedures and techniques, to determine the effectiveness of information security controls and information security processes applied in ISMS. The purpose of the Information Security Management Measurements Development and Implementation process, defined in this Standard is to create a base for each organization to collect, analyze and communicate data related to ISMS processes. This data is ultimately to be used to base ISMS-related decisions and to to improve implementation of ISMS."
At the time of writing this, ISO/IEC 27005 is proposed to cover ITS techniques and management of information and communications technology security (MICTS)-Part 2: Techniques for information and communications technology (ICT) security risk management. Parts 1-4 of ISO TR 13335 will become an international standard for MICTS consisting of the following two parts:
- Part 1: Concepts and models for ICT security management (combining Parts 1 and 2 of ISO TR 13335 ).
- Part 2: Techniques for ICT security risk management (consisting of ISO TR 13335 Part 3 ).
The proposed scope of ISO 27005 is to 'provide techniques for information security risk management that includes information and communications technology security risk management. The techniques are based on the general concepts, models, and management and planning guidelines laid out in Part 1 of this International Standard. These guidelines are designed to assist the implementation of information security. Familiarity with the concepts and models, and the material concerning the management and planning of information security in ISO/IEC 13335-1, is important for a complete understanding of Part 2 . This document gives guidelines for information security risk management, which ISO/IEC 13335-1 of this International Standard specifies as one of activities that information security management requires to be carried out. ISO/IEC 27005 is applicable to any organization, which intends to manage risk that could compromise the organization's information security.International Standard specifies as one of activities that information security management requires to be carried out. ISO/IEC 27005 is applicable to any organization, which intends to manage risk that could compromise the organization's information security.
.