Standard Evolution 1995 1998 Initiative from Department of Trade and Industry BS 7799 Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun 2005 ISO 17799:2005 ISO/IEC 27001:2005 Oct 2005 ✓
Standard Organization ✓ CONTROLS CONTROL OBJECTIVES DOMAINS
Standard Organization ✓ Compliance A.15 Business Continuity Management A.14 Information Security Incident Management A.13 Information Systems Acquisition, Development and Maintenance A.12 Access Control A.11 Communications and Operations Management A.10 Physical and Environmental Security A.9 Human Resources Security A.8 Asset Management A.7 Organization of Information Security A.6 Information Security Policy A.5 ISMS improvement 8 Management review of the ISMS 7 Internal ISMS Audits 6 Management Responsibility 5 Information Security Management System 4
Standard Organization (contd.) Security policy Access control Asset Management Organization of Information Security Human Resources Security Physical and Environmental security Communications and operations management Information Systems Acquisition Development and Maintenance Information Incident Security Management Business Continuity Management Information Integrity Confidentiality Availability Compliance ✓
Future of the standard ✓ Risk Management (BS 7799-3) 27005 Metrics and Measurement 27004 Implementation Guidance 27003 Code of Practice (ISO17799:2005) 27002 Specification 27001 Vocabulary and definitions 27000 Description ISO/IEC Standard
Scope is very hazy, not including all the assets and technology
A good example of ISMS scope
The ISMS scope covers all critical systems, applications, networks, telecommunication links, human resources, and information assets. The scope also includes business operations, administrative functions, customer information, buildings, equipment, tools and utilities used in the execution of business of the organization at site A and site B.