For years, organizations have been searching for an objective benchmark to measure the security of potential business partners and to distinguish the security-quality of their own services. While not perfect, ISO 17799 emerged as the standard of choice because it overcame many of the critical deficiencies of SAS 70. Specifically, it provided a comprehensive set of security-related topics and an objective means of measuring compliance.
Building on that success and following the same approach it used with the ISO 900X Quality Assurance standards and ISO 1400X Environmental Management standards, the International Organization for Standardization (ISO) has reserved the 27000 numbering range for a series Information Security Standards. The initial standards are:
– ISO 27000 contains technical definitions used throughout the 2700X series.
– ISO 27001 is a specification for an Information Security Management System (ISMS). ISO 27001:2005 is a re-labeling of BS 7799 part 2. This is the formal standard used for certifying Information Security Management Systems. Its focus is evaluation process rather than content
– ISO 27002 is a re-labeling of ISO 17799, which was originally BS 7799 part 1. This standard contains a Code of Practice consisting of a comprehensive set of information security control objectives and a menu of best-practice security controls.
– ISO 27004 is the number reserved for a future standard covering information security management measurement and metrics.
– ISO 27005 is the number reserved for a future standard covering information security risk management.
To achieve certification, an organization’s ISMS must be audited by an assessor who works for a Certification Body. A Certification Body must have been accredited by the National Accreditation Body for the relevant geography. The certification process requires clear segregation of duties in that the organization performing the certification must not have been involved in providing either con-sulting or training.
History has shown that far more organizations used ISO 17799 as a framework for conducting comprehensive security assessments aimed at improving the security and controls of their IT infrastructure rather than for the specific purpose of certification. It is impor-tant to recognize that these standards have value well beyond certification.
Unless there is a clear business reason — such as customers or partners demanding certification to do business – most or-ganizations would be better served thinking in terms of compliance with ISO 27002 rather than certification to ISO 27001.
Because of the expense, without a clear business driver, there is little incremental value in spending those formal certification dollars. In most cases, having a reputable security firm attest that an organization is “substantially compliant” is more than sufficient.
Just as with ISO 9000, the marketplace is not homogenous. Certain vertical markets such as aerospace or certain supply chains may latch on the ISO 27001 certification as a required fact of life.
The decision to certify or comply is more than one of cost; the two standards measure different things. ISO 27001 assesses whether an organization follows a coarse-grained set of processes that are integral to maintaining the security of an enterprise. Certification assumes that if these processes are in place that effective security automatically follows.
In contrast, 27002 describes a comprehensive set of concrete and fine-grained practices with which an enterprise can be compared.
Bare in mind that both of these standards need to be interpreted within a specific business context taking into account the organiza-tion’s technology, its attractiveness as a target, and its bushiness risk.
The ISO 27001 and ISO 27002 standards are gaining attention for being practical mechanisms for both assessing and asserting good security practices.