Search in ISMS Guides


Wednesday, August 22, 2007

ISO/IEC 27000 Information Security Standards Family Adopts a New Member

(July 17, 2007)-- ISO/IEC has formally announced the incorporation of the popular Code of Practice for Information Security Management, formerly known as ISO/IEC 17799:2005 and originally BS 7799, into the ISO/IEC 27000-series. The standard is now known as ISO/IEC 27002:2005.

The announcement is more significant than merely a change of name. The growing family of ISO/IEC 27000 series information security standards is increasingly recognised by information security professionals worldwide as an embodiment of good information security practices. Well over 3,500 large and small organizations have been formally certified compliant with ISO/IEC 27001, with many thousands more using the standards internally to structure their approach to information security management and drive continuous security improvements.

First released in 1995, British Standard BS 7799 comprised three parts. Part 1 became ISO/IEC 27002. Part 2 became ISO/IEC 27001. Part 3 is anticipated to become ISO/IEC 27005 in due course.

ISO (the International Organization for Standardization) and IEC (the International Electrical Committee) released ISO/IEC 17799 in 2000 and revised in 2005. Apart from the name , ISO/IEC 27002:2005 is identical to ISO 17799:2005. Its full English title is: "International Standard ISO/IEC 27002:2005. Information technology - Security techniques - Code of practice for information security management".

The ISO/IEC 27000 family is evolving rapidly but at present comprises the following issued or proposed standards:

* ISO/IEC 27000 - will contain the vocabulary and definitions i.e. the specialist terminology used by all of the ISO27k standards.

* ISO/IEC 27001:2005 - is the Information Security Management System requirements standard (specification) against which organizations are formally certified compliant. Published.

* ISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives and a menu of generally accepted good practice controls. Published.

* ISO/IEC 27003 - will be an implementation guide for these standards.

* ISO/IEC 27004 - will be an information security management measurement (metrics) standard to improve the effectiveness of your ISMS.

* ISO/IEC 27005 - will be an information security risk management standard (replacing BS 7799 Part 3).

* ISO/IEC 27006:2007 - is a guide to the certification or registration process for accredited ISMS certification or registration bodies. Published.

* ISO/IEC 27007 - will be a guideline for auditing Information Security Management Systems.

* ISO/IEC 27031 will be a business continuity standard.

* ISO/IEC 27032 will be guidelines for cybersecurity

* ISO/IEC 27034 will be guidelines for application security.

* ISO/IEC 27799 - will be health sector-specific implementation guidance for ISO/IEC 27002. Other sector-specific implementation guides are planned for industries such as lotteries and (in conjunction with the ITU) telecomms.

From :

No comments: