Click the diagram for a slightly larger and less fuzzy version.
ISO27k originated in the 1980s and continues to grow and change, reflecting ongoing evolution in the field, new challenges (such as cloud computing) and emerging consensus on good information security practices. These were the key stages in the development of the core standards ...
ISO/IEC 27001 and 27002:2013 - new versions
ISO/IEC JTC1/SC 27 revised and republished ISO/IEC 27001 and 27002 in 2013.
The revision process was laborious and slow, particularly on 27002 which has become almost unmaintainable. 27001 was substantially revised to bring it into line with other ISO management systems standards.
Various other ISO27k standards were published or updated in 2013: however, this timeline has served its purpose and is no longer being updated.
ISO/IEC 17799:2005 was renumbered ISO/IEC 27002:2005 in the middle of 2007 to bring it into the ISO/IEC 27000 family of standards. The text remains word-for-word identical to ISO/IEC 17799:2005 - in fact, for some while the ISO/IEC 17799 standard continued to be delivered to anyone who ordered ISO/IEC 27002, along with a cover sheet noting the change of number.
In June 2005, the 2000 version was significantly updated with new sections consolidating advice on risk and incident management and many other revisions sprinkled liberally throughout. The format was altered to provide ‘implementation guidance’ notes under each control.
ISO/IEC 17799:2000 - first ISO/IEC version of BS7799-1
After a difficult period of international consideration and review, BS 7799 part 1:1999 was finally adopted by ISO/IEC on a ‘fast track’ process and was released as ISO/IEC 17799 in December 2000. Members of ISO/IEC JTC1/SC 27 were not universally supportive of this first release but it was accepted as a starting point pending further development.
BS 7799 Part 1:1999 - revised
Following a BSI review process, the standard was revised and reissued in 1999.
BS 7799 Part 1:1998 - renamed
The previous British Standard 7799 was joined by a new part 2 certification standard (later to become ISO/IEC 27001) so the original standard was renamed “Part 1” in 1998.
BS 7799:1995 - initial release as a British Standard
The British Standards Institute BSI (now calling itself “BSI British Standards”, part of the BSI Group) released British Standard 7799.
1993: BSI-DISC PD003 - DTI Code of Practice for Information Security Management - first public release
Pending its release as an official British Standard, the guts of BS 7799 were, in effect, pre-released by the UK Department of Trade and Industry through the British Standards Institute as a free informational item called BSI-DISC PD003 (BSI - Delivering Information Solutions to Customers - Public Document 003). Professor Edward Humphreys, the UK National Computing Centre (NCC) along with information security professionals from Shell, BOC Group, British Telecom, Marks and Spencer, Midland Bank, Nationwide played a part in developing PD003, while its release was supported by BP, British Aerospace, British Steel, Bull, Cadbury Schweppes, Cameron Markby Hewitt, Chelsea Building Society, Ciba Geigy, Digital Equipment Corporation, Reuters and TSB Bank. BSI-DISC released some nifty free accompanying booklets too, one of which (PD005) had a neat one-page flowchart summarising the implementation process which, sadly, did not survive to any of the current-day ISO27k materials. The DTI later became BERR, the Department for Business Enterprise and Regulatory Reform, and still supports the ISO27k standards today.
1989: DTI CCSC User’s Code of Practice (first publication outside Shell)
Using Shell’s donor document, the UK Department of Trade and Industry’s Commercial Computer Security Centre developed and published this information security guide for their members. The CCSC also wrote “the Green Books” that, with assistance from the UK Government's Communications Electronics Security Group (CESG), turned into the UK ITSEC (IT Security Evaluation and Certification) scheme for certification of security products, launched in 1990/1991.
Late 1980s: Royal Dutch/Shell Group Information Security Policy Manual
BS 7799 and hence ISO27k owes its existence to this internal document generously donated to the community by Shell. When first published in 1995, BS 7799’s emphasis on mainframe security concepts and lack of explicit references to the Internet hint at its origin in the previous decade: this lack of currency remains an issue today with ISO27k, since the ISO/IEC processes for scoping, specifying, drafting, agreeing and releasing international standards have cycle-times of several years whereas significant new information security issues typically emerge every year. Exactly the same problem affects organizations that implement the standards, but at least the management system gives them the tools to identify and respond to changes in their information risks.
ISO management systems standards
ISO/IEC 27001, specifically, is one of a suite of ISO standards formally specifying ‘management systems’. Other ISO management systems standards include:
- ISO 9001 on quality management derived from BS 5750 and before that the Deming approach to quality assurance and continuous improvement (dealing with the commercial, financial, reputation and other risks associated with failing to produce goods and services of a consistently high quality);
- ISO 14001 on environmental management (dealing with the compliance, social and health risks associated with untreated effluent discharge, pollution etc.);
- ISO 50001 on energy management (dealing with the costs associated with inefficient use of energy);
- OHSAS 18001 on occupational health and safety management [due to become ISO 45001 during 2016] (dealing with risks associated with accidents and deaths at work, unhealthy and unsafe working conditions or practices etc.).
All the ISO management systems standards specify good practice governance and management arrangements concerned with their respective topic areas. W. Edward Deming’s enduring legacy (aside, that is, from Japan’s manufacturing base and amazing economic recovery since the 1950’s!) is the fundamental idea that management first needs to take control in order to assess and where necessary systematically improve things. Management information and metrics are vital, along with explicit business-driven objectives or goals against which to measure and assess actual performance, and the governance structures (such as policies and compliance activities) to enact or implement the changes necessary to mature the organization. In Deming’s world, ‘knowledge’ and ‘data’ are the essential tools of management, with shades of Taylorism and the ‘scientific management’ approach that had been popular as mass production came to the fore in the early 20th Century.
The management systems standards are succinctly and formally specified, such that organizations can opt to be certified compliant with them by independent bodies, ideally certification bodies that have been duly accredited thereby giving credibility, integrity and meaning to the certificates they award. They may also choose to adopt the standards without being certified although certification is sometimes required by the owners, authorities, business partners, laws or regulations as a means to increase assurance.
Since 2012, all the ISO management system standards are being gradually aligned around the same core structure and concepts, often using more or less identical boilerplate text and terms. While it does necessitate compromises and kludges here and there, the advantage of alignment is that managers, staff, specialists and auditors who get to know any one management system should also be familiar with the others, at least in conceptual terms. There are other, more subtle advantages too such as:
- Integration between management systems, and efficiencies such as similar forms and processes, and combined audits;
- Consistent management approaches and terminology;
- Letting the business drive the management systems, rather than the standards or the specialists.