Understanding ISO 27001 and ISO 17799

Let's first start with providing some background on the ISO standards.

First, BS 7799 was created in 1995 by the British Standards Institute (BSI). It focused on protecting the availability, confidentiality and integrity of an organization's information. BS 7799 was just a single standard and was considered a Code of Practice. A certification option that was linked to this standard began to develop and the second part of the standard, BS 7799-2 or Part 2 was developed. The Code of Practice is now recognized under ISO 17799 and BS 7799-1. BS 7799-2 has also undergone revision and internationalization, was withdrawn, and was replaced in November 2005 by ISO 27001:2005. The relationship between the Code of Practice and the certification option has been further established.

Download this free guide

Could Securing Your Channel Business Be Easier? We Can Help.

Download our latest guide to the top strategies solution providers can leverage for starting up and securing a cloud practice, successful approaches to selling and marketing cloud, and why it is urgent for partners to transition now.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

ISO 27001 (the certification option) mandates the use of ISO 17799:2005 (the Code of Practice). ISO 17799:2005 is the source of guidance for the selection and implementation of the controls mandated by ISO 27001.

Therefore, in order to summarize, an organization can be ISO 17799:2005 compliant, but the certifying body is ISO 27001:2005. However, it is possible for an organization to develop its security posture based off of the ISO 17799:2005 Code of Practice only. It is not a certification scheme, it does not specify the requirements for compliance (certified) as the ISO 27001 does. This means that an organization using ISO 17799 on its own can conform to the guidance of the Code of Practice, but it cannot get an outside body to verify that it is complying with the standard. An organization that is using ISO 27001 and ISO 17799 can design a security posture or security program that is in line with the specification and follows the guidance of the Code of Practice, and that is, therefore, capable of achieving external certification.