Frequently Asked Questions
What is BS ISO/IEC 27001?
BS ISO/IEC 27001:2005 (BS 7799-2:2005) is the new international standard that provides a specification for ISMS and the foundation for third-party audit and certification. The standard is complementary to the new standard BS ISO/IEC 17799:2005 (BS 7799-1:2005).
The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles governing security of information and network systems.
The new standard replaces BS 7799-2:2002.
Is BS 7799-2:2002 still a valid standard?
BS 7799-2:2002 has been withdrawn now that BS ISO/IEC 27001:2005 (BS 7799-2:2005) has been published. Those companies certified/registered to BS 7799-2:2002 will need to make the transition to the new standard.
Why does the new standard have a new identifier, name and number?
To identify the standard as in international standard the identifier and number has to change. The new name reflects the name of the ISO committee working on the standard, and now more clearly defines the purpose of the standard. However the standard is also dual numbered BS 7799-2:2005.
Eventually, BS ISO/IEC 27001 will be one of a number of security standards published as part of the BS ISO/IEC 27000 series. BS ISO/IEC 27002 and BS ISO/IEC 27004 are likely to be produced in the next few years.
Is ISO/IEC 27001 the same as BS ISO/IEC 27001?
Yes. ISO/IEC 27001 is the “base” international standard. BS ISO/IEC 27001 is the version published by the UK National Standards Body (BSI British Standards). The content is identical.
What is covered by BS ISO/IEC 27001?
- Normative references
- Terms and definitions
- Information Security Management System
- Management responsibility
- Management review of the ISMS
- ISMS improvement
What is the process for implementing BS ISO/IEC 27001?
1) Define an information security policy.
2) Define scope of the information security management system.
3) Perform a security risk assessment.
4) Manage the identified risk.
5) Select controls to be implemented and applied.
6) Prepare an SOA (statement of applicability).
Is BS ISO/IEC 27001 “harmonised” with the other ISO Management systems?
The standard provides a specification for ISMS and the foundation for third-party audit and certification. It is harmonised to work with other management system standards such as ISO 9001 and ISO 14001 and will assist in the integration and operation of an organization’s overall management system. It implements the Plan-Do-Check-Act (PDCA) model and reflects the principles of the 2002 OECD guidance on the security of information systems and networks.
Can I get certified to BS ISO/IEC 27001 now?
Yes. Certifications prior to publication of ISO/IEC 27001 will still be against BS7799-2:2002. After this date organizations will need to adapt their current projects or existing management systems accordingly.
Will there be a “crossover period” between the two standards?
Only for those certified to BS 7799-2:2002.
What does BS ISO/IEC 27001 mean for IT security officers?
BS ISO/IEC 27001 is the standard that all organizations should look to implement. The standard will reassure clients and suppliers that information security is taken seriously within the organization and that is has in place recognized processes to deal with information security threats and issues. For more information, please click here…