ISO 27001 was originally publised at BS 7799, which was the outcome of a joint initiative by the DTI in the UK and leading UK private sector businesses. The working party, which started work in 1992, produced the first version of BS 7799 in February 1995. This was, originally, simply a Code of Practice for IT Security Management. Organizations that developed ISMSs that complied with this Code of Practice were able to have them independently inspected but there was initially no UKAS scheme in place and, therefore, formal certification was not possible. An alternative solution, known as ‘c:cure’, was adopted to provide a framework for implementation of the standard, and was available from April 1997. The confusion around c:cure and the absence of UKAS accredited certification resulted in uptake of certification to the standard being much slower than anticipated. c:cure was effectively withdrawn as an option late in 2000.
BS 7799 underwent a significant review in 1998. Feedback was collated and, in April 1999, a revised standard was launched. The original Code of Practice was significantly revised and retained as Part 1 of the British standard and a new Part 2 was added. Part 1 was re-titled ‘Code of Practice for Information Security Management’ and provided guidance on best practice in information security management. Part 2, titled ‘Specification for Information Security Management Systems’, formed the standard against which an organization’s security management system was to be assessed and certified.
BS 7799-2 underwent a further review during 2002 and a number of significant changes were made. BS7799-2 ‘forms the basis for an assessment of the Information Security Management System (ISMS) of the whole, or part, of an organization. It may be used as the basis for a formal certification scheme’. It is, in other words, the specific document against which an ISMS will be assessed. The 2005 revision of ISO/IEC 17799 (see below) led to a change in the controls which was reflected in the new international version of the standard, ISO 27001.
As a Code of Practice, BS 7799-1 took the form of guidance and recommendations. Its foreword clearly stated that it was not to be treated as a specification. It became internationalized as ISO/IEC 17799 in December 2000. BS 7799-2, on the other hand was internationalised as ISO/IEC 27001:2005.
In 1998, when the original BS 7799 was revised for the first time, prior to becoming BS 7799-1, references to UK legislation were removed and the text was made more general. It was also made consistent with OECD guidelines on privacy, information security and cryptography. Its best practice controls were made capable of implementation in a variety of legal and cultural environments.
In 2000, BS 7799–1:1999 was, as indicated above, submitted as the proposed text of an international standard and was re-issued with minor changes as BS ISO/IEC 17799:2000. In the UK, it also has the dual number BS 7799–1:2000. It was issued as a single-part standard, titled ‘Information Technology – Code of Practice for Information Security Management’ and replaced BS 7799–1:1999, which was then withdrawn. BS 7799–2:1999 was then replaced by the 2002 version and this, with the revised Annex A, is the standard against which an ISMS has been certified for the last three years.
The reason for developing an international standard on information security management was described by BSI, on their website, as follows: ‘many organizations have expressed the need to have a common standard on best practice for information security management. They would like to be able to implement information security controls to meet their own business requirements as well as a set of controls for their business relationships with other organizations. These organizations see the need to share the benefits of common best practice at a true international level to ensure that they can protect their business processes and activities to satisfy these business needs.’
In other words, the ISO 17799:2005 Code of Practice is intended to provide a framework for international best practice in Information Security Management and systems interoperability. It also provides guidance, to which an external auditor will look, on how to implement a certifiable ISMS. It does NOT, as the standard is currently written, provide the basis for an international certification scheme.
ISO 27001 was designed to harmonise with ISO9001:2000 and ISO14001:1996 so that management systems can be effectively integrated. It implements the Plan-Do-Check-Act (PDCA) model and reflects the principles of the 2002 OECD guidance on the security of information systems and networks.
ISO 27001 implicitly recognises that information security and any Information Management Security System (ISMS) should form an integrated part of any internal control system created as part of Corporate Governance procedures and that the standard fits in with the approach adopted by the Turnbull Committee.