Ask the Expert

Understanding ISO 27001 and ISO 17799

I am planning to suggest that my customers become ISO 17799 compliant, but I was wondering if I should also suggest ISO 27001 compliance. Is ISO 17799 enough?

    Requires Free Membership to View

Let's first start with providing some background on the ISO standards.

First, BS 7799 was created in 1995 by the British Standards Institute (BSI). It focused on protecting the availability, confidentiality and integrity of an organization's information. BS 7799 was just a single standard and was considered a Code of Practice. A certification option that was linked to this standard began to develop and the second part of the standard, BS 7799-2 or Part 2 was developed. The Code of Practice is now recognized under ISO 17799 and BS 7799-1. BS 7799-2 has also undergone revision and internationalization, was withdrawn, and was replaced in November 2005 by ISO 27001:2005. The relationship between the Code of Practice and the certification option has been further established.

ISO 27001 (the certification option) mandates the use of ISO 17799:2005 (the Code of Practice). ISO 17799:2005 is the source of guidance for the selection and implementation of the controls mandated by ISO 27001.

Therefore, in order to summarize, an organization can be ISO 17799:2005 compliant, but the certifying body is ISO 27001:2005. However, it is possible for an organization to develop its security posture based off of the ISO 17799:2005 Code of Practice only. It is not a certification scheme, it does not specify the requirements for compliance (certified) as the ISO 27001 does. This means that an organization using ISO 17799 on its own can conform to the guidance of the Code of Practice, but it cannot get an outside body to verify that it is complying with the standard. An organization that is using ISO 27001 and ISO 17799 can design a security posture or security program that is in line with the specification and follows the guidance of the Code of Practice, and that is, therefore, capable of achieving external certification.

This was first published in December 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: