Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
Let's first start with providing some background on the ISO standards.
First, BS 7799 was created in 1995 by the British Standards Institute (BSI). It focused on protecting the availability, confidentiality and integrity of an organization's information. BS 7799 was just a single standard and was considered a Code of Practice. A certification option that was linked to this standard began to develop and the second part of the standard, BS 7799-2 or Part 2 was developed. The Code of Practice is now recognized under ISO 17799 and BS 7799-1. BS 7799-2 has also undergone revision and internationalization, was withdrawn, and was replaced in November 2005 by ISO 27001:2005. The relationship between the Code of Practice and the certification option has been further established.
ISO 27001 (the certification option) mandates the use of ISO 17799:2005 (the Code of Practice). ISO 17799:2005 is the source of guidance for the selection and implementation of the controls mandated by ISO 27001.
Therefore, in order to summarize, an organization can be ISO 17799:2005 compliant, but the certifying body is ISO 27001:2005. However, it is possible for an organization to develop its security posture based off of the ISO 17799:2005 Code of Practice only. It is not a certification scheme, it does not specify the requirements for compliance (certified) as the ISO 27001 does. This means that an organization using ISO 17799 on its own can conform to the guidance of the Code of Practice, but it cannot get an outside body to verify that it is complying with the standard. An organization that is using ISO 27001 and ISO 17799 can design a security posture or security program that is in line with the specification and follows the guidance of the Code of Practice, and that is, therefore, capable of achieving external certification.
This was first published in December 2006