Wanganui, New Zealand (PRWEB) July 12, 2007
ISO/IEC has formally announced the incorporation of the popular Code of Practice for Information Security Management, formerly known as ISO/IEC 17799:2005 and originally BS 7799, into the ISO/IEC 27000-series. The standard is now known as ISO/IEC 27002:2005.
The announcement is more significant than merely a change of name. The growing family of ISO/IEC 27000 series information security standards is increasingly recognised by information security professionals worldwide as an embodiment of good information security practices. Well over 3,500 large and small organizations have been formally certified compliant with ISO/IEC 27001, with many thousands more using the standards internally to structure their approach to information security management and drive continuous security improvements.
First released in 1995, British Standard BS 7799 comprised three parts. Part 1 became ISO/IEC 27002. Part 2 became ISO/IEC 27001. Part 3 is anticipated to become ISO/IEC 27005 in due course.
ISO (the International Organization for Standardization) and IEC (the International Electrical Committee) released ISO/IEC 17799 in 2000 and revised in 2005. Apart from the name , ISO/IEC 27002:2005 is identical to ISO 17799:2005. Its full English title is: "International Standard ISO/IEC 27002:2005. Information technology - Security techniques - Code of practice for information security management".
The ISO/IEC 27000 family is evolving rapidly but at present comprises the following issued or proposed standards:
- ISO/IEC 27000 - will contain the vocabulary and definitions i.e. the specialist terminology used by all of the ISO27k standards.
- ISO/IEC 27001:2005 - is the Information Security Management System requirements standard (specification) against which organizations are formally certified compliant. Published.
- ISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives and a menu of generally accepted good practice controls. Published.
- ISO/IEC 27003 - will be an implementation guide for these standards.
- ISO/IEC 27004 - will be an information security management measurement (metrics) standard to improve the effectiveness of your ISMS.
- ISO/IEC 27005 - will be an information security risk management standard (replacing BS 7799 Part 3).
- ISO/IEC 27006:2007 - is a guide to the certification or registration process for accredited ISMS certification or registration bodies. Published.
- ISO/IEC 27007 - will be a guideline for auditing Information Security Management Systems.
- ISO/IEC 27031 will be a business continuity standard.
- ISO/IEC 27032 will be guidelines for cybersecurity
- ISO/IEC 27034 will be guidelines for application security.
- ISO/IEC 27799 - will be health sector-specific implementation guidance for ISO/IEC 27002. Other sector-specific implementation guides are planned for industries such as lotteries and (in conjunction with the ITU) telecomms.
Please visit ISO27001security for more information on the ISO/IEC 27000 family.
The standards are available to purchase directly from ISO/IEC, from national standards bodies such as NIST and ANSI, and from a variety of commercial outlets.
ISO27001security.com provides information and guidance for users of the ISO/IEC 27000-series standards. The site is privately run and is not endorsed by or affiliated with ISO/IEC. It is vendor-neutral and non-commercial in nature. The site's owner, IsecT Ltd., is a New Zealand-based consultancy specialising in information security awareness through NoticeBored. IsecT's CEO, Gary Hinson, actively contributes to the development of the ISO/IEC 27000 standards via British Standards and Standards New Zealand.
In addition to frequently-updated details of the evolving ISO/IEC 27000 standards, the site provides an FAQ, book reviews, information on other relevant standards and links to other useful Web resources.
The site has spawned a discussion forum for those actively implementing the standards. Over 500 security professionals are sharing implementation tips and have collaborated on the production and publication of additional guidance including mind maps, process flowcharts, implementation notes and potential security metrics.