Understanding ISO 27001 and ISO 17799

Let's first start with providing some background on the ISO standards.

First, BS 7799 was created in 1995 by the British Standards Institute (BSI). It focused on protecting the availability, confidentiality and integrity of an organization's information. BS 7799 was just a single standard and was considered a Code of Practice. A certification option that was linked to this standard began to develop and the second part of the standard, BS 7799-2 or Part 2 was developed. The Code of Practice is now recognized under ISO 17799 and BS 7799-1. BS 7799-2 has also undergone revision and internationalization, was withdrawn, and was replaced in November 2005 by ISO 27001:2005. The relationship between the Code of Practice and the certification option has been further established.

Download this free guide

Could Securing Your Channel Business Be Easier? We Can Help.

Download our latest guide to the top strategies solution providers can leverage for starting up and securing a cloud practice, successful approaches to selling and marketing cloud, and why it is urgent for partners to transition now.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

ISO 27001 (the certification option) mandates the use of ISO 17799:2005 (the Code of Practice). ISO 17799:2005 is the source of guidance for the selection and implementation of the controls mandated by ISO 27001.

Therefore, in order to summarize, an organization can be ISO 17799:2005 compliant, but the certifying body is ISO 27001:2005. However, it is possible for an organization to develop its security posture based off of the ISO 17799:2005 Code of Practice only. It is not a certification scheme, it does not specify the requirements for compliance (certified) as the ISO 27001 does. This means that an organization using ISO 17799 on its own can conform to the guidance of the Code of Practice, but it cannot get an outside body to verify that it is complying with the standard. An organization that is using ISO 27001 and ISO 17799 can design a security posture or security program that is in line with the specification and follows the guidance of the Code of Practice, and that is, therefore, capable of achieving external certification.