ISO/IEC 27001 International Information Security Standard published

Press release: 2 November 2005

The internationally recognised British Standard, BS 7799-2:2002 has been updated and adopted as an international standard, ISO/IEC 27001:2005.

The standard was published by the International Organization for Standardization (ISO) on 15 October 2005. Essentially, ISO/IEC 27001 defines an Information Security Management System (ISMS) and complements the ISO/IEC 17799 'code of practice' standard, itself first published as BS 7799-1. The two standards are closely aligned and related, but perform distinctive roles.

ISO/IEC 17799 details a number of individual security controls, which may be selected and applied as part of the ISMS. ISO/IEC 17799, again based on a British Standard, is scheduled to become ISO/IEC 27002 in a couple of years.

ISO/IEC 27001 specifies the requirements for the security management system itself. It is this standard, as opposed to ISO/IEC 17799, against which certification is offered. ISO/IEC 27001 has also been harmonised to be compatible with other management systems standards, such as ISO/IEC 9001 and ISO/IEC 14001. Organisations already certified under BS 7799-2:2002 need to prepare for transition to ISO/IEC 27001 in order to meet its requirements.

The international status of ISO/IEC 27001 will have a global impact and its release should see yet more interest in both information security management and certification.

- Ends -