Understanding ISO 27001 and ISO 17799

Help your customers develop a security posture capable of achieving external certification by understanding how ISO 27001 and ISO 17799 work together.

Published: 06 Dec 2006

I am planning to suggest that my customers become ISO 17799 compliant, but I was wondering if I should also suggest ISO 27001 compliance. Is ISO 17799 enough?

Let's first start with providing some background on the ISO standards.

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please log in.

You have exceeded the maximum character limit.

Please provide a Corporate Email Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

First, BS 7799 was created in 1995 by the British Standards Institute (BSI). It focused on protecting the availability, confidentiality and integrity of an organization's information. BS 7799 was just a single standard and was considered a Code of Practice. A certification option that was linked to this standard began to develop and the second part of the standard, BS 7799-2 or Part 2 was developed. The Code of Practice is now recognized under ISO 17799 and BS 7799-1. BS 7799-2 has also undergone revision and internationalization, was withdrawn, and was replaced in November 2005 by ISO 27001:2005. The relationship between the Code of Practice and the certification option has been further established.

ISO 27001 (the certification option) mandates the use of ISO 17799:2005 (the Code of Practice). ISO 17799:2005 is the source of guidance for the selection and implementation of the controls mandated by ISO 27001.

Therefore, in order to summarize, an organization can be ISO 17799:2005 compliant, but the certifying body is ISO 27001:2005. However, it is possible for an organization to develop its security posture based off of the ISO 17799:2005 Code of Practice only. It is not a certification scheme, it does not specify the requirements for compliance (certified) as the ISO 27001 does. This means that an organization using ISO 17799 on its own can conform to the guidance of the Code of Practice, but it cannot get an outside body to verify that it is complying with the standard. An organization that is using ISO 27001 and ISO 17799 can design a security posture or security program that is in line with the specification and follows the guidance of the Code of Practice, and that is, therefore, capable of achieving external certification.

What’s new in ISO 27001: 2103 for storage and backup?

Adapa Raja Vijay Kumar

What is ISO certified vs. ISO compliant?

Things that need to change in information security standards