ISMS Scopes

ISMS FAQs

When will the revised version of ISO/IEC 17799 published?

The revised version of ISO/IEC 17799 was published on the 15th June 2005.

What will happen to the 2000 version ISO/IEC 17799?

Now that the 2005 version is officially published the 2000 version has been withdrawn.

Are there any new controls in the new version of ISO/IEC 17799?

Yes, there are 17 new controls, and a few of the old ones have been either merged, incorporated with others and/or deleted. In total there are now all together 134 controls.

Is Chapter Structure in the new 2005 version the same as the old version?

There are 11 Chapters in the 2005 version one more than the 2000 version also there have been changes to the titles of the Chapters – see illustration below.

What else is new in the 2005 version of ISO/IEC 17799?

The 2005 version addresses a variety of issues including (but not limited to): security of external service delivery and the provisioning of outsourcing; addressing today’s vulnerabilities, such as the management of patches; security prior to, during and at termination of employment; greater focus on handling risks and incidents; dealing with mobile, remote and distributed communications and processing of information.

Is the control objective/control model in the 2005 version of ISO/IEC 17799 the same as it the 2000 version?

Yes the model is the same: a control objective defines the requirements and then one or more controls are defined that are designed to satisfy this objective.

Does the 2005 version of ISO/IEC 17799 have the same ‘look and feel’

In general the 2005 version is the same as the 2000 version. Improvements have been made to the ‘user friendliness’ of the standard, to make it easier for readers to distinguish what the control is in contrast to what the implementation guidance for the control is. The following illustration shows this new ‘user friendly’ structure.

Is the new ISO/IEC 17799 still a Code of Practice?

Yes, the new version of ISO/IEC 17799:2005 is still just a Code of Practice, defining best practice controls. It still uses only the word ‘should’ in all of its controls, leaving the selection of controls and their implementation entirely up to the organization – compare this with BS 7799 Part 2 (see below, also ISO/IEC 27001) which is a requirements specification and uses the word ‘shall’ in all its controls enabling users to use it for accredited certification purposes.

Can the new version of ISO/IEC 17799 be used for certification?

ISO/IEC 17799:2005 is a code of practice for information security management; it was not designed to be applicable for management system certification. However, the complementary standard BS 7799 Part 2:2002 (and the new revised version of Part 2 from ISO ‘ISO/IEC 27001, Information security management systems — Requirements’) is designed and is being used for the purpose of management system certification (see FAQs below on Certification and Annex A of ISO/IEC 17799:2005).

When will ISO/IEC 27001 be published?

ISO/IEC 27001 was published on the 15^th October 2005. This Information security management system requirements standard replaces BS 7799 Part 2:2002 and the latter is now withdrawn.

Is ISO/IEC 27001 still be related to ISO/IEC 17799:2005?

Yes. ISO/IEC 27001 Information security management systems - Requirements has an Annex A which contains the controls from ISO/IEC 17799:2005.

What other ISMS standards will be in the ISO/IEC 27000 series?

Yes. As well as the standard ISO/IEC 27001 Information security management system – Requirements is being progressed there is also the following:

· ISO/IEC 27002 (this is the number that will be given to ISO/IEC 17799 after April 2007)

· ISO/IEC 27003 ISMS implementation guidelines (guidelines being developed to support the use and implementation of ISO/IEC 27001 and ISO/IEC 27002) - under development

· ISO/IEC 27004 Information security management metrics and measurement (aimed at addressing how to measure the effectiveness of ISMS implementations - both the processes and controls) – under development.

How different will ISO/IEC 27001 be from BS 7799 Part 2?

The differences between the new standard ISO/IEC 27001:2005 and BS 7799 Part 2:2002 will not be challenging. Backwards compatibility, consistency and easy transition between the two standards have been kept in mind in the revision process. The differences between ISO/IEC 27001 and BS 7799 Part 2:2002 are far less than between BS 7799 Part 2:2002 and its previous version, BS 7799 Part 2:1999.

Are other standards that can be used to support in the ISO/IEC 27000 series?

Yes the following is a list of some of these:

· ISO/IEC 13335 Management of ICT Security Parts 1 and 2 (deals with policy and planning, risk assessment methods and selection of controls). Part 1 has been published and Part 2 is still under development.

· ISO/IEC 18048 Incident handling management standard

· ITU-T X.1051 ISMS- Telecoms (this is ISO/IEC 27001 plus a set of telecoms requirements which adds to those controls in ISO/IEC 27002 (ISO/IEC 17799))

· Business Continuity and Disaster Recovery Services (new project based on the Singapore standard SS 507)

What about ISMS Accredited Certification?

Currently organisations that have gone through the accredited certification process for their ISMS are assessed according to the certification requirements standard BS 7799 Part 2:2002. Now ISO/IEC 27001 has been published and BS 7799 Part 2 has been withdrawn and future certification work (e.g. new certifications, surveillance audits on existing certifications and renewal of certifications) can be transferred over to using the ISO standard. National Accreditation Bodies that are involved in the process will be issuing a Certification Transition Statement which will give details of the time period during which organisations, together with their Certification Body, will need to make the transition from BS 7799 Part 2:2002 to ISO/IEC 27001.

What happens to the International Register of ISMS Accredited Certificates?

The current International Register for ISMS Accredited Certificates will continue to exist and function as an International Register for the purpose of registering an organisation’s ISMS certificate. Certification Bodies throughout the world should continue to provide the Registrar with the details of all new certificates as well any updates to existing certificates using the same notification process in operation today.