|
|
|
 |
||||||||||||||||||||||||||||||||||||
Overview The origin of the ISO/IEC 27000 series of standards goes back to the days of the UK Department of Trade and Industry's (DTI) Commercial Computer Security Centre (CCSC). Founded in May 1987, the CCSC had two major tasks. The first was to help vendors of IT security products by establishing a set of internationally recognised security evaluation criteria and an associated evaluation and certification scheme. This ultimately gave rise to the ITSEC and the establishment of the UK ITSEC Scheme. The second task was to help users by producing a code of good security practice and resulted in a "Users Code of Practice" that was published in 1989. This was further developed by the National Computing Centre (NCC), and later a consortium of users, primarily drawn from British Industry, to ensure that the Code was both meaningful and practical from a users point of view. The final result was first published as a British Standard's guidance document PD 0003, A code of practice for information security management, and following a period of further public consultation recast as British Standard BS7799:1995. A second part BS7799-2:1998 was added in February 1998. Following an extensive revision and public consultation period, that began in November 1997, the first revision of the standard, BS7799:1999 was published in April 1999. Part 1 of the standard was proposed as an ISO standard via the "Fast Track" mechanism in October 1999, and published with minor amendments as ISO/IEC 17799:2000 on 1st December 2000. BS 7799-2:2002 was officially launched on 5th September 2002. The Quest for International Recognition This is not the first time BS7799 has been proposed as an ISO standard. The original version, BS7799:1995 was submitted in the Summer of 1996 but was narrowly defeated. Those countries who voted in its favour were not dismayed, however. Australia and New Zealand, for example recast it (by changing the UK legislative references to corresponding Australian and New Zealand references) and re-published it as AS/NZS 4444. The Netherlands embraced it wholesale and established a certification scheme, which went live early 1997. This international interest encouraged the British to develop the standard further. Indeed, much to the British chagrin, the Dutch were the first to establish a certification Scheme. It included revolutionary ideas on entry and advanced level certification, and self- as well as third party certification. The "advanced level" certification recognised that that in real life it might be necessary to apply safeguards other than those listed in BS7799. BDD/2 applauded this idea, and married it with its own ideas on third party certification to create the "c:cure" scheme. BS7799 Part 2 But there was a problem... Because BS7799:1995 was a code of practice, how could an assessor associate a pass or fail verdict? Indeed, if non-BS7799 controls could be included, how would an assessor know which safeguards were to apply and which were not. The answer lay in the creation of BS7799 Part 2 which spells out precisely what an organisation and the assessor need to do in order to ensure successful certification. Less than two years after its creation, the UK "c:cure" certification scheme found itself challenged by alternative schemes predicated on EA7/03, a document entitled "Guidelines for the Accreditation of Bodies operating Certification/Registration of Information Security Management Systems". This is a document agreed and recognised throughout Europe and the members of the European co-operation for Accreditation. It has formed the basis of various third party audits undertaken within the USA, mainland Europe, Africa and the UK and is recognised in other parts of the world. In view of the wider acceptance of EA7/03, as of 2nd October 2000, the DTI withdrew its support for c:cure and the effectively the c:cure scheme has been terminated, to be replaced by the internationally accepted norm. The creation of ISO/IEC 17799 Following the publication of BS7799:1999 in April 1999, Part 1 of this new version of the standard was proposed as an ISO standard via the "Fast Track" mechanism in October 1999. The international ballot closed in August 2000, and received the required majority voting. In October 2000, eight minor changes to the BS text were approved and the standard was published as ISO/IEC 17799:2000 on 1st December 2000. It was re-published on 15 June 2005 as ISO/IEC 17799:2005, as a result of the regular ISO standards update cycle. The most significant change is in the layout of the controls, which now clearly distinguishes between the requirements, implementation guidance and further information. There is also some rationalisation, with the addition of some new controls and existing controls better explained. The revised standard now has 133 controls under 11 headings, as opposed to 127 controls under 10 headings. There are two new major sections – one putting the controls into a stronger contextual framework of risk assessment and treatment, the other separating out those controls relating to incident management. This will probably be the last version of ISO/IEC 17799 to be
published. It will be replaced in 2007 by ISO/IEC 27002. There was a school of thought in 1999 to put BS 7799-2:1999 into the ISO Fast Track mechanism, but also a realisation that in contrast to BS 7799-1, it was a relatively immature standard. A particular criticism was that it gave instruction only on how to build an ISMS and not how to operate, maintain and improve one. BDD/2 Panel 3 therefore set about creating a new version of BS 7799-2 which would address this particular criticism and, on request of the certification bodies, facilitate the creation of integrated management systems.
The implementation of the PDCA model reflected the principles as set out in the OECD guidance (OECD Guidelines for the Security of Information Systems and Networks, 2002) governing the security of information systems and networks. In particular, this new edition gave a robust model for implementing the principles in those guidelines governing risk assessment, security design and implementation, security management and reassessment. As a consequence of references to the OECD guidance being incorporated into BS 7799-2:2002, publication was delayed until 5 September 2002. This was to coincide with the publication of the OECD guidelines and also to ensure that the rules from UKAS regarding transition from BS 7799-2:1999 to BS 7799-2:2002 could be developed and put in place. In 2005, BS 7799-2 finally entered the ISO Fast Track mechanism and emerged on 14th October 2005 as ISO/IEC 27001:2005. There is a lot of similarity between the two standards and apart from two differences the other are relatively insignificant. The first difference that is worthy of note is the adoption of ISO/IEC 17799:2005 as the basis of the SOA. The second is the introduction of a new requirement concerning ISMS metrics and the need to measure the effectiveness of your information security controls. ISO/IEC 27002:2005 On 1 July 2007, a Technical Corrigendum (No. 1) was published by ISO to replace "17799" throughout the original ISO/IEC 17799:2005 standard with the new number "27002", thus bringing the name of the Code of Practice into line with the other standards in the 27000 series. The Future So what does the future hold? Click here to find out. In order to buy a copy of the standards, please contact BSI Customer Services by telephone at (+44) 20 8996 7555 or electronically from https://eshop.bsi-global.com/. |
|||||||||||||||||||||||||||||||||||||
|
12 July, 2007 |
|
