ISO 17799 and BS 7799 - Security Standards - ISMS is not a quality standard

[venkat]

There has been a misconception that ISMS is a quality management system, which is not so.
Though BS7799 borrows some of the practices of ISO 9001:2000 standard this is essentially not a QMS.
Moreover the Information Security Manager reports to the top management. A person wielding a MR post cannot hold a post of Information Security Manager because there will be a conflict of interest.
Kindly request you to send your inputs on this

Also is it possible to use six sigma for BS 7799

[Marc]

For those like me who didn't know (I'm not sure what ISMS is, but...):

BS7799 is a security standard.

ISO 17799 is the most widely recognised security standard. It is based upon BS7799, which was last published in May 1999, an edition which itself included many enhancements and improvements on previous versions. The first version of ISO 17799 was published in December 2000.

ISO17799 is comprehensive in its coverage of security issues. It contains a substantial number of control requirements, some extremely complex. Compliance with ISO 17799, or indeed any detailed security standard, is therefore a far from trivial task, even for the most security conscious of organizations. Certification can be even more daunting.

It is recommended therefore that ISO 17799 is approached step by step. The best starting point is often an assessment of the current position, followed by identification of what changes are needed for ISO17799. From here, planning and implementation must be undertaken.

[SaraHol]

Marc: When you do a post like that, quoting pretty much word for word from an existing web site, the least you should really do is quote the source.

I thought it was kinda familiar, and found it at
Security Policy World

with URL
http://www.information-security-poli...o17799desc.htm

It's not a big issue, but it's a good habit to get into.

All the best

[Sidney Vianna]

Quote:

Originally Posted by Marc

For those like me who didn't know (I'm not sure what ISMS is, but...):

Information Security Management Systems.

There are both an International and US based ISMS Users Group.

Check Information Security Management Systems (ISMS) Users Group

[pargovind]

Hello,

The ISO 17799 Standards are not Certifying standards, whereas Certification can be obtained under BS-7799-2 Standards. Still, a Company can always seek certification under ISO 17799 Standards. But such a certification does not have any seal of authority from a Certifying Agency.

I understand that, in the US, most companies have been reluctant to get BS 7799-2 certification, but that it is picking momentum now, though slowly.

Could anybody confirm my perceptions?

Govind Srinivasan
Chennai India

[Mr BS7799]

There are two standards under the ISO/BS world that pertains to information security. ISO/IEC 17799:2000 and BS 7799-2:2002.

The closest analogy I could make for these two are the ISO 9001:2000 and ISO 9004:2000.

ISO/IEC 17799:2000 provides guidance in implementing BS 7799 controls
(should, henceforth not mandatory)

BS 7799-2:2002 provides the requirements to achieve an ISMS
(shall, mandatory)

Mr Pargovind is correct that certification can be only be issued for BS 7799. But organizations, can still be "compliant" to ISO/IEC 17799.

Lastly, BS 7799-2:2002 will become an ISO standard by 2nd quarter of this year. It shall have the name ISO 24742:2005.

IMHO, reluctance of American companies probably stems from the fact the BS7799 is a British Standard. The momentum increase could "probably" be attributed to the impending release of ISO 24742:2005.

Warm regards to all the members and contributors!!!

[Sidney Vianna]

Quote:

Originally Posted by Mr BS7799

Lastly, BS 7799-2:2002 will become an ISO standard by 2nd quarter of this year. It shall have the name ISO 24742:2005.

Looks like BS7799-2 will become ISO/IEC 27001, Information security management system (ISMS) requirements, which can be used for certification.

http://www.iso.org/iso/en/commcentre...05/Ref963.html

Ref.: 963
20 June 2005

Improved ISO/IEC 17799 makes information assets even more secure

An improved version of the joint ISO/IEC standard that has become the burgeoning e-commerce community’s international benchmark for information security management has just been published.

The revised ISO/IEC 17799, Information technology – Security techniques – Code of practice for information security management, integrates the latest developments in the field to maintain it as the international standard code of practice.

The modern interconnected e-commerce environment, with information now exposed to a growing number and a wider variety of threats and vulnerabilities, is the main beneficiary of the standard.

Ted Humphreys, Convenor of the ISO/IEC working group that developed ISO/IEC 17799:2005, said: “The revised version of this standard provides organizations with many state-of-the-art additions and improvements in information security best practice.

“For example, better management of security arrangements with external businesses, outsourcing and service providers, enhanced indicant handling capability, dealing with problems of patch management, mobile devices, wireless technologies and harmful mobile code via the Internet, improvements in best practice managing human resources and several other new features.”

ISO/IEC 17799:2005 is a code of practice for information security management. It is not a certification standard and was neither designed, nor is it suitable for this purpose. It will be followed in the last quarter of the year (publication currently expected in November 2005) by the specification standard ISO/IEC 27001, Information security management system (ISMS) requirements, which can be used for certification.

The new version addresses the security of information in its widest sense, providing best business practice, guidelines and general principles for implementing, maintaining and managing information security in any organization, producing and using information in any form.

Any organization has assets, essential to its continuity. Arguably, information in its various forms is the most important asset, be it printed, stored electronically, posted or e-mailed, shown on film or spoken. For most businesses, information security may be essential to maintain competitive edge, cash flow, profitability, legal compliance and commercial image. But many businesses and most non-business organizations may hold information as their only asset. An absence of information security may threaten their integrity and, therefore, very existence.

ISO/IEC 17799:2005 recognizes that the level of security that can be achieved purely through technical means is limited. The required level of security – established through assessing the levels of risk and associated costs through breaches of security, against the costs of implementing security – should always be driven by appropriate management controls and procedures. Information security management requires, as a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties and customers.

ISO/IEC 17799:2005 identifies the controls that form the starting point for information security. It covers the critical success factors, the organization of information security, asset management, human resources, physical and environmental security, communications and operations management, information systems acquisition, development and maintenance, incident management, business continuity management and compliance. It is destined to become an essential tool for organizations of every type and size, whether public or private.

Ted Humphreys commented: “Users of this standard can also demonstrate to business partners, customers and suppliers that they are fit enough and secure enough to do business with, providing the chance for them to turn their investment in information security into business-enabling opportunities.

“In summary, this revised ISO/IEC 17799 is the most important of standard for managing information security that has been developed – it establishes a truly international common language for information security for all organizations around the world to engage with each other to do business.”

ISO/IEC 17799:2005, Information technology – Security techniques – Code of practice for information security management, costs 200 Swiss francs and is available from ISO national member institutes (see the complete list with contact details) and from ISO Central Secretariat (see below). It was developed by ISO/IEC Joint Technical Committee JTC 1, Information technology, Subcommittee SC 27, Security techniques, Working Group WG 1, Requirements, security services and guidelines.

[Sidney Vianna]

Summary:

The final draft of the new security management standard, ISO 27001, has been released.

Website: ISO 17799 Newsletter: News & Updates for ISO 27001 and ISO17799

For_Immediate_Release:

Significant changes to major standards are rare and infrequent, to say the least. Two such changes to closely related standards even more so. However, this scenario has recently occurred with respect to the information security standards.

Following hot on the heels of the publication of ISO 17799 2005, the final draft of ISO 27001 has now been produced.


WHAT IS ISO 27001?

ISO 27001 is the replacement for BS7799. This in turn is the 'sister publication' for ISO 17799. Whereas ISO 17799 is a 'code of practice', describing individual controls for potential implementation, BS7799 outlines the requirements for an Information Security Management System. In other words, it sets out a system for the management of information security, within which the controls described within ISO 17799 may be selected.

BS7799 is in fact the part of the standard set against which certification is granted. This mantle will be passed to ISO 27001 upon final publication.

The new (draft) version has incorporated a number of significant changes. It further 'harmonizes' the approach with other management standards, such as ISO 9001, and builds further upon the PDCA model (Plan-Do-Check-Act). However, the main driver in terms of timing seems to have been the urgent need for re-alignment with the new version of ISO 17799 (2005) as opposed to the old version (2000).


WHY A 'DRAFT' VERSION?

BS799 was submitted for 'fast track' to become an ISO standard some time ago. Even this process though is lengthy, requiring due process and consultation. It has now passed all the key voting stages, however, and final publication is expected later this year.

This of course presents something of a dilemma. BS7799 is not aligned properly with the current 2005 version of ISO 17799.

To address this, SNV (the Swiss national standards body) and BSI have offered a free upgrade to the final version, to those who purchase the draft version from their respective online shops (see below). This enables organizations to work with the final draft (known as the FDIS version), without having to re-purchase to obtain the copy with any i's dotted, and t's crossed.


WHY 27001?
Major topic based standards tend to be grouped together in terms of a series. Typical of this is the ISO 9000 series (quality management) and the ISO 14000 series (environmental management). 27000 has been earmarked for the information security management series.

The first publication within this series is of course 27001. However, it is envisaged that eventually ISO 17799 will be renumbered as ISO 27002. A new document, for security measurement and metrics, is being produced for potential publication as ISO 27004.


OFFICIAL SOURCES

SNV: The Swiss national standards body, SNV, offer ISO 27001 FDIS from the following site:
ISO 17799 and ISO 27001 Information Security - Standards Online

BSI: Through the StandardsDirect outlet, BSI offer the draft standard from the following page:
ISO 27001 and ISO 17799 Information Security Standards - Standards Direct

A special version of the ISO 17799 Toolkit, the standard's support and starter kit, which includes the new standard (draft), is available via both these sites.

Both the above versions are currently in English language only.