There has been a misconception that ISMS is a quality management system, which is not so.
Though BS7799 borrows some of the practices of ISO 9001:2000 standard this is essentially not a QMS.
Moreover the Information Security Manager reports to the top management. A person wielding a MR post cannot hold a post of Information Security Manager because there will be a conflict of interest.
Kindly request you to send your inputs on this

Also is it possible to use six sigma for BS 7799

For those like me who didn't know (I'm not sure what ISMS is, but...):

BS7799 is a security standard.

ISO 17799 is the most widely recognised security standard. It is based upon BS7799, which was last published in May 1999, an edition which itself included many enhancements and improvements on previous versions. The first version of ISO 17799 was published in December 2000.

ISO17799 is comprehensive in its coverage of security issues. It contains a substantial number of control requirements, some extremely complex. Compliance with ISO 17799, or indeed any detailed security standard, is therefore a far from trivial task, even for the most security conscious of organizations. Certification can be even more daunting.

It is recommended therefore that ISO 17799 is approached step by step. The best starting point is often an assessment of the current position, followed by identification of what changes are needed for ISO17799. From here, planning and implementation must be undertaken.

Marc: When you do a post like that, quoting pretty much word for word from an existing web site, the least you should really do is quote the source.

I thought it was kinda familiar, and found it at
Security Policy World (http://www.information-security-policies-and-standards.com/iso17799desc.htm)

with URL
http://www.information-security-policies-and-standards.com/iso17799desc.htm

It's not a big issue, but it's a good habit to get into.

All the best :rolleyes:

For those like me who didn't know (I'm not sure what ISMS is, but...):


Information Security Management Systems.

There are both an International and US based ISMS Users Group.

Check Information Security Management Systems (ISMS) Users Group (http://www.us-isms.org/) :read:

Hello,

The ISO 17799 Standards are not Certifying standards, whereas Certification can be obtained under BS-7799-2 Standards. Still, a Company can always seek certification under ISO 17799 Standards. But such a certification does not have any seal of authority from a Certifying Agency.

I understand that, in the US, most companies have been reluctant to get BS 7799-2 certification, but that it is picking momentum now, though slowly.

Could anybody confirm my perceptions?

Govind Srinivasan
Chennai India

There are two standards under the ISO/BS world that pertains to information security. ISO/IEC 17799:2000 and BS 7799-2:2002.

The closest analogy I could make for these two are the ISO 9001:2000 and ISO 9004:2000.

ISO/IEC 17799:2000 provides guidance in implementing BS 7799 controls
(should, henceforth not mandatory)

BS 7799-2:2002 provides the requirements to achieve an ISMS
(shall, mandatory)

Mr Pargovind is correct that certification can be only be issued for BS 7799. But organizations, can still be "compliant" to ISO/IEC 17799.

Lastly, BS 7799-2:2002 will become an ISO standard by 2nd quarter of this year. It shall have the name ISO 24742:2005.

IMHO, reluctance of American companies probably stems from the fact the BS7799 is a British Standard. The momentum increase could "probably" be attributed to the impending release of ISO 24742:2005.

Warm regards to all the members and contributors!!!

Lastly, BS 7799-2:2002 will become an ISO standard by 2nd quarter of this year. It shall have the name ISO 24742:2005.
Looks like BS7799-2 will become ISO/IEC 27001, Information security management system (ISMS) requirements, which can be used for certification.

http://www.iso.org/iso/en/commcentre/pressreleases/2005/Ref963.html

Ref.: 963
20 June 2005

Improved ISO/IEC 17799 makes information assets even more secure

An improved version of the joint ISO/IEC standard that has become the burgeoning e-commerce community’s international benchmark for information security management has just been published.

The revised ISO/IEC 17799, Information technology – Security techniques – Code of practice for information security management, integrates the latest developments in the field to maintain it as the international standard code of practice.

The modern interconnected e-commerce environment, with information now exposed to a growing number and a wider variety of threats and vulnerabilities, is the main beneficiary of the standard.

Ted Humphreys, Convenor of the ISO/IEC working group that developed ISO/IEC 17799:2005, said: “The revised version of this standard provides organizations with many state-of-the-art additions and improvements in information security best practice.

“For example, better management of security arrangements with external businesses, outsourcing and service providers, enhanced indicant handling capability, dealing with problems of patch management, mobile devices, wireless technologies and harmful mobile code via the Internet, improvements in best practice managing human resources and several other new features.”

ISO/IEC 17799:2005 is a code of practice for information security management. It is not a certification standard and was neither designed, nor is it suitable for this purpose. It will be followed in the last quarter of the year (publication currently expected in November 2005) by the specification standard ISO/IEC 27001, Information security management system (ISMS) requirements, which can be used for certification.

The new version addresses the security of information in its widest sense, providing best business practice, guidelines and general principles for implementing, maintaining and managing information security in any organization, producing and using information in any form.

Any organization has assets, essential to its continuity. Arguably, information in its various forms is the most important asset, be it printed, stored electronically, posted or e-mailed, shown on film or spoken. For most businesses, information security may be essential to maintain competitive edge, cash flow, profitability, legal compliance and commercial image. But many businesses and most non-business organizations may hold information as their only asset. An absence of information security may threaten their integrity and, therefore, very existence.

ISO/IEC 17799:2005 recognizes that the level of security that can be achieved purely through technical means is limited. The required level of security – established through assessing the levels of risk and associated costs through breaches of security, against the costs of implementing security – should always be driven by appropriate management controls and procedures. Information security management requires, as a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties and customers.

ISO/IEC 17799:2005 identifies the controls that form the starting point for information security. It covers the critical success factors, the organization of information security, asset management, human resources, physical and environmental security, communications and operations management, information systems acquisition, development and maintenance, incident management, business continuity management and compliance. It is destined to become an essential tool for organizations of every type and size, whether public or private.

Ted Humphreys commented: “Users of this standard can also demonstrate to business partners, customers and suppliers that they are fit enough and secure enough to do business with, providing the chance for them to turn their investment in information security into business-enabling opportunities.

“In summary, this revised ISO/IEC 17799 is the most important of standard for managing information security that has been developed – it establishes a truly international common language for information security for all organizations around the world to engage with each other to do business.”

ISO/IEC 17799:2005, Information technology – Security techniques – Code of practice for information security management, costs 200 Swiss francs and is available from ISO national member institutes (see the complete list (http://www.iso.org/iso/en/prods-services/ISOstore/store.html) with contact details) and from ISO Central Secretariat (see below). It was developed by ISO/IEC Joint Technical Committee JTC 1, Information technology, Subcommittee SC 27, Security techniques, Working Group WG 1, Requirements, security services and guidelines.

Summary:

The final draft of the new security management standard, ISO 27001, has been released.

Website: ISO 17799 Newsletter: News & Updates for ISO 27001 and ISO17799 (http://17799-news.the-hamster.com/)

For_Immediate_Release:

Significant changes to major standards are rare and infrequent, to say the least. Two such changes to closely related standards even more so. However, this scenario has recently occurred with respect to the information security standards.

Following hot on the heels of the publication of ISO 17799 2005, the final draft of ISO 27001 has now been produced.


WHAT IS ISO 27001?

ISO 27001 is the replacement for BS7799. This in turn is the 'sister publication' for ISO 17799. Whereas ISO 17799 is a 'code of practice', describing individual controls for potential implementation, BS7799 outlines the requirements for an Information Security Management System. In other words, it sets out a system for the management of information security, within which the controls described within ISO 17799 may be selected.

BS7799 is in fact the part of the standard set against which certification is granted. This mantle will be passed to ISO 27001 upon final publication.

The new (draft) version has incorporated a number of significant changes. It further 'harmonizes' the approach with other management standards, such as ISO 9001, and builds further upon the PDCA model (Plan-Do-Check-Act). However, the main driver in terms of timing seems to have been the urgent need for re-alignment with the new version of ISO 17799 (2005) as opposed to the old version (2000).


WHY A 'DRAFT' VERSION?

BS799 was submitted for 'fast track' to become an ISO standard some time ago. Even this process though is lengthy, requiring due process and consultation. It has now passed all the key voting stages, however, and final publication is expected later this year.

This of course presents something of a dilemma. BS7799 is not aligned properly with the current 2005 version of ISO 17799.

To address this, SNV (the Swiss national standards body) and BSI have offered a free upgrade to the final version, to those who purchase the draft version from their respective online shops (see below). This enables organizations to work with the final draft (known as the FDIS version), without having to re-purchase to obtain the copy with any i's dotted, and t's crossed.


WHY 27001?
Major topic based standards tend to be grouped together in terms of a series. Typical of this is the ISO 9000 series (quality management) and the ISO 14000 series (environmental management). 27000 has been earmarked for the information security management series.

The first publication within this series is of course 27001. However, it is envisaged that eventually ISO 17799 will be renumbered as ISO 27002. A new document, for security measurement and metrics, is being produced for potential publication as ISO 27004.


OFFICIAL SOURCES

SNV: The Swiss national standards body, SNV, offer ISO 27001 FDIS from the following site:
ISO 17799 and ISO 27001 Information Security - Standards Online (http://www.standards-online.net/InformationSecurityStandard.htm)

BSI: Through the StandardsDirect outlet, BSI offer the draft standard from the following page:
ISO 27001 and ISO 17799 Information Security Standards - Standards Direct (http://www.standardsdirect.org/iso27001.htm)

A special version of the ISO 17799 Toolkit, the standard's support and starter kit, which includes the new standard (draft), is available via both these sites.

Both the above versions are currently in English language only.

ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements (http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103&ICS1=35&ICS2=40&ICS3)

Abstract
ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.
ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.
ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following:

use within organizations to formulate security requirements and objectives;
use within organizations as a way to ensure that security risks are cost effectively managed;
use within organizations to ensure compliance with laws and regulations;
use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
definition of new information security management processes;
identification and clarification of existing information security management processes;
use by the management of organizations to determine the status of information security management activities;
use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
implementation of business-enabling information security;
use by organizations to provide relevant information about information security to customers.

It (ISO 27001) has finally been published! The final phase seems to have been going on for ever. From the latest ISO 17799 Newsletter:



ISO 27001 Published Today
====================

The much anticipated ISO 27001 has been published as an official standard, following several months of public comment and debate.

This particular standard defines an 'Information Security Management System', the key word being management, and compliments the current ISO 17799 standard. It essentially specifies a generic framework for the design/maintenance of the information security process within an organization.

The two security standards are closely inter-linked, but have very distinct and defined roles:

ISO 17799
This details the individual and detailed security controls, which may be selected for application as part of the security management system.

ISO 27001
This specifies and defined the overall requirements for the security management system itself. It is ISO 27001, as opposed to ISO 17799, against which formal certification is offered. It was built upon an earlier standard, BS7799-2, and has also been made more compatible with other quality management standards.


THE GLOBAL IMPACT
This publication is likely to herald a significant increase in interest in both information security generally and security certification specifically. Those already certified under BS7799-2 will be offered a transitional route, whereas the international (ISO) status of the new standard is certain to have an impact on the numbers following this route generally.

This has already started to manifest itself in terms of the record number of pre-publication orders for the new standard, and the recent substantial membership increases of the Online ISO 17799 / ISO 27001 User Group ( http://www.17799.com ).


OFFICIAL SOURCES OF THE STANDARD
The new standard can be downloaded from:
StandardsDirect (BSI): http://17799.standardsdirect.org

It will also be available from SNV (Swiss Standards) shortly from:
Standards Online: http://www.standards-online.net/InformationSecurityStandard.htm

Finally, the support kit for these standards has also been updated: http://www.17799-toolkit.com (About US$1000)



FURTHER INFORMATION
Further information can be obtained from the ISO 17799 News website at:
http://17799-news.the-hamster.com

http://www.iso.org/iso/en/commcentre/pressreleases/2005/Ref976.html
Ref.: 976
27 October 2005
State-of-the-art information security management systems with new ISO/IEC 27001:2005 standard

Information security flaws can result in escalating financial losses and wreak havoc with business operations. The newly published ISO/IEC 27001:2005 standard for information security management systems can help organizations plug existing leaks and prevent future threats.
"The publication of ISO/IEC 27001:2005 is a big event in the world of information security and the standard has been eagerly awaited," said Ted Humphreys, Convenor of the working group responsible for managing the development of the standard. "It is a standard that all security-conscious organizations should look to implement."
ISO/IEC 27001:2005 can be used by a broad range of organizations – small, medium and large – in most of the commercial and industrial market sectors: finance and insurance, telecommunications, utilities, retail and manufacturing sectors, various service industries, transportation sector, governments and many others.
The implementation of ISO/IEC 27001:2005 will reassure customers and suppliers that information security is taken seriously within the organizations they deal with because they have in place state-of-the-art processes to deal with information security threats and issues.
Information is an asset, which, like other important business assets, adds value to an organization and consequently needs to be protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems.
ISO /IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, specifies the processes to enable a business to establish, implement, review and monitor, manage and maintain an effective ISMS.
ISO/IEC 27001:2005 integrates the process-based approach of ISO's management system standards – ISO 9001:2000 and ISO 14001:2004 – including the Plan-Do-Check-Act (PDCA) cycle and requirement for continual improvement.
The new standard forms a complementary pair with the recently published ISO/IEC 17799:2005 "code of practice" on information security management.
Organizations that so wish can have their information security management systems independently certified as conforming to the requirements of ISO/IEC 27001:2005, although certification is not a requirement of the standard.
Up to now, organizations that wished to have their ISMS certified have done so in conformity with the British Standard BS 7799 Part 2. This is now possible against ISO/IEC 27001:2005, which is an International Standard.
ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, costs 124 Swiss francs and is available from ISO national member institutes (see the complete list with contact details (http://www.iso.org/iso/en/prods-services/ISOstore/memberstores.html)) and from the ISO Central Secretariat (see below). It was developed by ISO/IEC Joint Technical Committee JTC 1, Information technology, Subcommittee SC 27, Security techniques, Working Group WG 1, Requirements, security services and guidelines.
ISO Store: to order ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements (http://www.iso.org/iso/en/commcentre/pressreleases/2005/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103)
and
ISO/IEC 17799:2005 Information technology – Security techniques – Code of practice for information security management (http://www.iso.org/iso/en/commcentre/pressreleases/2005/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3=)


Press contact:
Ms. Elizabeth Gasiorowski-Denis
Journalist and Editor, ISO Focus
Public Relations
Tel. +41 22 749 01 11
Fax +41 22 733 34 30
E-mail gasiorowski@iso.org (gasiorowski@iso.org)
For more information:
Convenor of ISO/IEC JTC 1/SC 27/WG 1:
Mr. Ted Humphreys
Tel. +44 1473 626 615
E-mail tedxisecltd@aol.com (tedxisecltd@aol.com)
Enquiries about orders:
Ms. Sonia Rosas Friot
Marketing Services
Tel. +41 22 749 03 36
Fax +41 22 749 09 47
E-mail sales@iso.org (sales@iso.org)

Anyone have thoughts on what will happen with this standard? It seems to me that Information Security is a growing concern for all companies, and having an ISMS is a must. But is the Standard itself taking off?

Sidney, I know DNV is offering registration to this standard; is there a lot of interest?

Sidney, I know DNV is offering registration to this standard; is there a lot of interest?Not yet. Like many other Standards, other parts of the World seem to deploy BS 7799 and ISO 27001 much sooner and faster that in the Good Ol' USA.
But when you have so much sensitive data being broken in, on a daily basis, it is quite logical to expect that American corporations will heed to the need to manage information security more carefully, since the risks are getting higher. Since ISO 27001 provides for a good model to do so, it leads me to believe that the US corporations will awake to the Standard in the next 2-3 years.

Thanks Sidney. I agree that the US will probably lag behind the rest of the world in adopting 27001, but it will happen. Is DNV training auditors in the US on this Standard yet?

I don't know about others, but we are offering training to 27000.

ISO 27001:2005 - Information Security Management System Lead Auditor Course
Duration - 5 Days

Course Description

BSI’s “ISO 27001:2005 – Information Security Management System Lead Auditor” teaches students the fundamentals of auditing information security management systems to ISO 27001:2005. This five-day intensive course trains students on how to conduct audits for certification bodies and facilitate the ISO 27001:2005 registration process. The auditing exercises and lectures are based on ISO 19011:2002, “Guidelines for Quality and/or Environmental Management Systems Auditing.” The course is designed specifically for those people who wish to conduct external assessments or internal audits to ISO 27001:2005, although students will also gain the knowledge and understanding necessary to give practical help and information to other individuals and organizations working toward conformance to the standard.

This course is registered* by the governing board of the IQA - International Register of Certified Auditors (IRCA) and meets part of the training requirements of those seeking registration as a lead auditor under that scheme. It also meets the training requirements for IATCA auditor certification.

*(A17287)

I don't know about others, but we are offering training to 27000.

I guess you mean ISO 27001 Randy. There's a lot of loose terminology around (not too much on here thankfully :) ) as a lot of folks seem to be struggling with the different numbers.

ISO 27000 is in fact a generic label only: see http://www.27000.org

The other numbers within have been allocated, but if and when they get populated... it's probably known as 'ISO time'.

Of course I did....

Of course I did....

Sorry.. no offense intended. Like myself, you will have been around the web and seen how often the terms are loosely interchanged. It's easy to forget this when you are discussing with more informed folks like yourself.

Will ISO 20k take off?

Will ISO 20k take off?

Same as ISO 27k1. We already have our first customers for 20k and 27k1 certification...

Btw, here is also a draft guideline for application of 27k1 in healthcare: ISO/DIS 27799 "Health informatics -- Security management in health using ISO/IEC 17799"