Frequency Asked Questions Information Security Management System (ISMS) Standards Version 3.0 May 2005 The following are a set of frequently asked questions that relate to new developments regarding ISO/IEC 17799 and ISMS (Information security management system) standards. This set of FAQs will be updated on a regular basis as and when new questions are asked or new developments take place. These FAQs and updates will available on the ISMS International User Group web site email enquires to ISMSIUG@aol.com Ted Humphreys (Chair and Founder of the ISMS International User Group) Page 1 of 5
ISO/IEC 17799 Code of practice for information security management When will the revised version of ISO/IEC 17799 published? The revised version of ISO/IEC 17799 is expected to be published from June 2005 onwards. The exact date has yet to be determined. What will happen to the 2000 version ISO/IEC 17799? Once the 2005 version is officially published the 2000 version will be withdrawn. Are there any new controls in the new version of ISO/IEC 17799? Yes, there are 17 new controls, and a few of the old ones have been either merged and/or deleted. In total there are now all together 134 controls. Is Chapter Structure in the new 2005 version the same as the old version? There are 11 Chapters in the 2005 version one more than the 2000 version also there have been changes to the titles of the Chapters see illustration below. Page 2 of 5
What else is new in the 2005 version of ISO/IEC 17799? The 2005 version has addressed a variety of issues including (but not limited to): security of external service delivery and the provisioning of outsourcing; addressing today s vulnerabilities, such as the management of patches; security prior to, during and at termination of employment; greater focus on handling risks and incidents; dealing with mobile, remote and distributed communications and processing of information. Is the control objective/control model in the 2005 version of ISO/IEC 17799 the same as it the 2000 version? Yes the model is the same: a control objective defines the requirements and then one or more controls are defined that are designed to satisfy this objective. Does the 2005 version of ISO/IEC 17799 have the same look and feel as the 2000 version? In general the 2005 version is the same as the 2000 version. Improvements have been made to the user friendliness of the standard, to make it easier for readers to distinguish what the control is in contrast to what the implementation guidance for the control is. The following illustration shows this new user friendly structure. Page 3 of 5
Is the new ISO/IEC 17799 still a Code of Practice? Yes, the new version of ISO/IEC 17799 is still just a Code of Practice, defining best practice controls. It still uses only the word should in all of its controls, leaving the selection of controls and their implementation entirely up to the organization compare this with BS 7799 Part 2 (see below, also ISO/IEC 27001) which is a requirements specification and uses the word shall in all its controls enabling users to use it for accredited certification purposes. ISMS (Information Security Management System) Standards What is happening with BS 7799 Part 2:2002? ISO/IEC JTC1/SC27 (the standards committee that also deals with ISO/IEC 17799) is in the process of progressing and ISMS (Information security management system) requirements standard. When this work is finished and published by ISO/IEC, BS 7799 Part 2:2002 will be withdrawn and the ISO/IEC standard will be used instead. What will the number of the ISMS standard be? Following in the footsteps of other management system standards (e.g. ISO 9000 and ISO 1400 series) ISO/IEC JTC1/SC27 are launching the 27000 series for their ISMS (information security management system) standards. Hence the number and title of the new ISMS (Information security management system) standard will be ISO/IEC 27001 Information security management systems - Requirements. Will ISO/IEC 27001 still be related to ISO/IEC 17799:2005? Yes, they will still be related. ISO/IEC 27001 Information security management system - Requirements has an Annex A as the case with BS 7799 Part 2:2002 which will contain the controls from ISO/IEC 17799. Are there any other ISMS standards in the ISO/IEC 27000 series? Yes. As well as the standard ISO/IEC 27001 Information security management system Requirements is being progressed there is also a standard ISO/IEC 27004 Information security management metrics and measurement being developed. This development is aimed at addressing how to measure the effectiveness of ISMS implementations (processes and controls). In addition, there are proposals being discussed for other standards and guidelines being developed to support the use and implementation of ISO/IEC 27001. One such proposal is to develop an ISMS Implementation guidance standard with the intention of providing more help and guidance on implementing the processes and controls in ISO/IEC 27001. Page 4 of 5
What about ISO/IEC 17799:2005 and the ISO/IEC 27000 series? ISO/IEC 17799:2005 Code of practice for information security management will not change its number in the short term. However, in April 2007 the proposal is to allocate the number ISO/IEC 27002 to the ISO/IEC 17799 standard. This will enable the market to become familiar with this new series of numbers. How different will ISO/IEC 27001 be from BS 7799 Part 2? It is expected that the differences between the new standard ISO/IEC 27001:2005 and BS 7799 Part 2:2002 will not be challenging. Backwards compatibility, consistency and easy transition between the two standards have been kept in mind in the revision process. The differences between ISO/IEC 27001 and BS 7799 Part 2:2002 are far less than between BS 7799 Part 2:2002 and its previous version, BS 7799 Part 2:1999. What about ISMS Accredited Certification? Currently organisations that have gone through the accredited certification process for their ISMS are assessed according to the certification requirements standard BS 7799 Part 2:2002. Once ISO/IEC 27001 has been published and BS 7799 Part 2 has been withdrawn future certification work (e.g. new certifications, surveillance audits on existing certifications and renewal of certifications) can be transferred over to using the ISO standard. National Accreditation Bodies that are involved in the process will be issuing a Certification Transition Statement which will give details of the time period during which organisations, together with their Certification Body, will need to make the transition from BS 7799 Part 2:2002 to ISO/IEC 27001. It is expected that this Certification Transition Statement will be issued before the publication of ISO/IEC 27001. What happens to the International Register of ISMS Accredited Certificates? The current International Register for ISMS Accredited Certificates will continue to exist and function as an International Register for the purpose of registering an organisation s ISMS certificate. Certification Bodies throughout the world should continue to provide the Registrar with the details of all new certificates as well any updates to existing certificates using the same notification process in operation today. Page 5 of 5