The history of ISO/IEC 27001


The origin of the ISO/IEC 27000 series of standards goes back to the days of the UK Department of Trade and Industry's (DTI) Commercial Computer Security Centre (CCSC). Founded in May 1987, the CCSC had two major tasks. The first was to help vendors of IT security products by establishing a set of internationally recognised security evaluation criteria and an associated evaluation and certification scheme. This ultimately gave rise to the ITSEC and the establishment of the UK ITSEC Scheme. The second task was to help users by producing a code of good security practice and resulted in a “Users Code of Practice” that was published in 1989. This was further developed by the National Computing Centre (NCC), and later a consortium of users, primarily drawn from British Industry, to ensure that the Code was both meaningful and practical from a users point of view. The final result was first published as a British Standard's guidance document PD 0003, A code of practice for information security management, and following a period of further public consultation recast as British Standard BS7799:1995. A second part BS7799-2:1998 was added in February 1998. Following an extensive revision and public consultation period, that began in November 1997, the first revision of the standard, BS7799:1999 was published in April 1999. Part 1 of the standard was proposed as an ISO standard via the “Fast Track” mechanism in October 1999, and published with minor amendments as ISO/IEC 17799:2000 on 1st December 2000.  BS 7799-2:2002 was officially launched on 5th September 2002.

The Quest for International Recognition

This is not the first time BS7799 had been proposed as an ISO standard.  The original version, BS7799:1995 was submitted in the Summer of 1996 but was narrowly defeated. Those countries who voted in its favour were not dismayed, however. Australia and New Zealand, for example recast it (by changing the UK legislative references to corresponding Australian and New Zealand references) and re-published it as AS/NZS 4444. The Netherlands embraced it wholesale and established a certification scheme, which went live early 1997.  This international interest encouraged the British to develop the standard further.

Certification Schemes

Indeed, much to the British chagrin, the Dutch were the first to establish a certification Scheme. It included revolutionary ideas on entry and advanced level certification, and self- as well as third party certification. The “advanced level” certification recognised that that in real life it might be necessary to apply safeguards other than those listed in BS7799.  BDD/2 applauded this idea, and married it with its own ideas on third party certification to create the “c:cure” scheme.

BS7799 Part 2

But there was a problem...

Because BS7799:1995 was a code of practice, how could an assessor associate a pass or fail verdict? Indeed, if non-BS7799 controls could be included, how would an assessor know which safeguards were to apply and which were not. The answer lay in the creation of BS7799 Part 2 which spells out precisely what an organisation and the assessor needed to do in order to ensure successful certification. 

Almost by accident, the creation of Part 2  led to the dramatic conclusion that the concept of an ISMS is perhaps of far greater and fundamental importance than the original Code of Practice. By the inclusion of a variety of feedback loops (as shown in the slide on the right), an ISMS allows managers to monitor and control their security systems thereby minimising the residual business risk and ensuring that security continues to fulfil the corporate, customer and legal requirements.

c:cure - or not c:cure

Less than two years after its creation, the UK “c:cure” certification scheme found itself challenged by alternative schemes predicated on EA7/03, a document entitled “Guidelines for the Accreditation of Bodies operating Certification/Registration of Information Security Management Systems”. This is a document that was agreed and recognised throughout Europe and the members of the European co-operation for Accreditation. It formed the basis of various third party audits undertaken within the USA, mainland Europe, Africa and the UK and is recognised in other parts of the world. In view of the wider acceptance of EA7/03, as of 2nd October 2000, the DTI withdrew its support for c:cure and effectively the c:cure scheme was thereby terminated, to be replaced by the internationally accepted norm.

The creation of ISO/IEC 17799

Following the publication of BS7799:1999 in April 1999, Part 1 of this new version of the standard was proposed as an ISO standard via the “Fast Track” mechanism in October 1999.  The international ballot closed in August 2000, and received the required majority voting. In October 2000, eight minor changes to the BS text were approved and the standard was published as ISO/IEC 17799:2000 on 1st December 2000.

It was re-published on 15 June 2005 as ISO/IEC 17799:2005, as a result of the regular ISO standards update cycle.  The most significant change is in the layout of the controls, which now clearly distinguishes between the requirements, implementation guidance and further information.  There is also some rationalisation, with the addition of some new controls and existing controls better explained.  The revised standard now has 133 controls under 11 headings, as opposed to 127 controls under 10 headings.  There are two new major sections – one putting the controls into a stronger contextual framework of risk assessment and treatment, the other separating out those controls relating to incident management.

The revision of Part 2

There was a school of thought in 1999 to put BS 7799-2:1999 into the ISO Fast Track mechanism, but also a realisation that in contrast to BS 7799-1, it was a relatively immature standard.  A particular criticism was that it gave instruction only on how to build an ISMS and not how to operate, maintain and improve one.  BDD/2 Panel 3 therefore set about creating a new version of BS 7799-2 which would address this particular criticism and, on request of the certification bodies, facilitate the creation of integrated management systems.

BS 7799 Part 2:2002 was published on 5th September at the BS 7799 Goes Global Conference in London. The new edition of BS 7799 Part 2 was harmonized with the other management system standards (ISO 9001:2000 and ISO 14001:1996).  It did this primarily by introducing a Plan-Do-Check-Act (PDCA) model as part of a management system approach to developing, implementing, and improving the effectiveness of an organization's information security management system. 

ISO 9001:2000, for example,  presents the eminently sensible management concept of PLAN-DO-CHECK-ACT.   It simply means decide what you want to do, do it, check that it worked, fix the things that didn't and start all over again.

The implementation of the PDCA model reflected the principles as set out in the OECD guidance (OECD Guidelines for the Security of Information Systems and Networks, 2002) governing the security of information systems and networks.  In particular, this new edition gave a robust model for implementing the principles in those guidelines governing risk assessment, security design and implementation, security management and reassessment.   

As a consequence of references to the OECD guidance being incorporated into BS 7799-2:2002, publication was delayed until 5 September 2002.  This was to coincide with the publication of the OECD guidelines and also to ensure that the rules from UKAS regarding transition from BS 7799-2:1999 to BS 7799-2:2002 could be developed and put in place.

ISO/IEC 27001:2005

In 2005, BS 7799-2 finally entered the ISO Fast Track mechanism and emerged on 14th October 2005 as ISO/IEC 27001:2005.  There is a lot of similarity between the two standards and apart from two differences the other are relatively insignificant.  The first difference that is worthy of note is the adoption of ISO/IEC 17799:2005 as the basis of the SOA.  The second is the introduction of a new requirement concerning ISMS metrics and the need to measure the effectiveness of your information security controls.

ISO/IEC 27002:2005

On 1 July 2007, a Technical Corrigendum (No. 1) was published by ISO to replace “17799” throughout the original ISO/IEC 17799:2005 standard with the new number “27002”, thus bringing the name of the Code of Practice into line with the other standards in the 27000 series.

The Current Standards

On 25 September 2013 new editions of ISO/IEC 27001 and ISO/IEC 27002 were published. The new edition of ISO/IEC 27001 looks radically different to the 2005 edition. This is because it follows the new standard structure for all management systems standards. However, the basic philosophy and intent have not changed. Many concepts have been generalised, with subtle improvements in the way requirements are specified. For example, the need for specific named documents has been replaced by requirements for 'documented information', a more general term giving flexibility in how documentation is structured - and recognising that information may be stored in databases rather than physical documents. Similarly, it does not emphasise the Plan-Do-Check-Act cycle in same way as ISO/IEC 27001:2005 did, prefering to refer to 'continuous improvement' instead. SOA requirements are similar, but with more clarity on the determination of controls by the risk treatment process.

The new edition of ISO/IEC 27002 has a new name, more accurately reflect its purpose as a code of best practice. The content has been thoroughly revised and updated, with some similar controls being combined together and a few new controls added. Overall there are now 114 identified controls organised under 14 major headings.

You can find out more about the development of the new version of ISO/IEC 27001 on our standards revision page. We also have a page about the changes from the previous versions.

The Future

The recent revision process took a long time to complete, due to the difficulties reaching international agreement on changes. There are now many other supporting standards in the ISO/IEC 27000 series. These are being brought into line with the new 27001 and 27002. Once that is complete, we can confidently expect that a new revision cycle will start.

In order to buy a copy of the standards, please contact BSI Customer Services by telephone at (+44) 20 8996 7555  or electronically from https://eshop.bsi-global.com/.