ISO 27001 information security management system

IMSM will help you to install a working ISMS (Information Security Management System), pass Audit and be Registered and Secure
Keyword search
Compliance

News

Risk

Other ISO standards

Associations




You are in: ISO 27001 - The Facts


ISO/BS comparison


ISO 27001 compared to BS7799


The first point to underline is that the new international standard is not significantly different from the British version of the standard; it was not the intention of the International Standards Organization (ISO) to contradict or drastically change what had gone before, or to impose unnecessary extra work on organizations already using it.

All international and national standards are subjected to a periodic review process. The review cycle for the transition from BS7799 to ISO 27001 saw some 4,000 comments submitted by national standards organizations. As part of this feedback it was determined that the standard needed a refresh and additional clarity to help its successful adoption as the internationally recognized best practice.

As a result a number of structural changes have been made to 27001, such as the creation of a new section on incident management using controls previously found in the personnel section. There are now a total of 133 controls in eleven sections. There are eight new control objectives, five consolidated or combined controls, 17 new controls to cover additional issues and nine deleted controls.

The most significant change is the new requirement for the measurement of the effectiveness of the controls (or groups of controls) to be implemented. The rationale being that you cannot properly manage what you cannot measure, and there is limited benefit in implementing something whose usefulness you cannot measure.

The management processes implemented for ISO 27001 are based on the Deming cycle of continuous improvement: Plan-Do-Check-Act. Measuring effectiveness is a critical element of improving information security management, and hence realizing business benefit and flexibility in a changing environment.

While this may be relatively straightforward for the more technical controls, such as the time taken to deploy upgrades and patches to servers, or to update anti-virus profiles on user desktops, it will be more challenging for other controls such as measuring the overall effectiveness of the ISMS or how to measure compliance with relevant legislation.

Helpfully this difficulty has been recognized by the ISO and this stipulation will be supported by a further new guidance standard on ISMS measurement (ISO 27004), although this is still only in the early stages of drafting.

In many cases the new standard is more explicitly stating what should already be in place in organizations claiming compliance with the standard, for example, the need for senior management commitment. Another difference is a greater focus on security within third party contracts and how that service delivery is monitored, managed and change controlled. The terminology used in the new standard has also changed slightly; it has become 'internationalized' so it is no longer UK-specific. Probably the most widely different interpretations are in relation to national legislation. It is also designed to be compatible with other standards, notably ISO Guide 73, on risk management terminology and ISO 15000/ISO 20000.


Incidentally, both the BS7799 and the ISO 27001 are auditable certifiable standards (they have checkable controls) whereas ISO 17799 is a code of practice. This gives advice about how to make information systems secure but is not auditable in the same way as the other two. However ISO 17799 is incorporated into ISO 27001 as "Annex A" and ISO 27001 refers to clauses 5 to 15 of ISO 17799 for implementation advice and guidance on best practice in support of the controls in ISO 27001.


For more information on ISO27001 contact Alex Cox. Tel: +44 (0)1666 826065


[ Back to top ]


IMSM, The Gig House, Oxford Street, Malmesbury, Wiltshire, SN16 9AX. Tel: 01666 826065. Powered by BouncingFish