Standards and norms for information security are on the move. On June 23rd the ISO/IEC 17799:2002 has been replaced by ISO/IEC 17799:2005. This code of practice for security management has had some visible changes, which impact professional security consultancy. The changes are a further development along the line which was started bij the previuos standard, but include some relevant differences. I have listed the most important changes below.
The number of information security areas has grown to 11 : information security incident management has now a chapter on its own. The controls in the area information systems development and maintenance is now called information systems acquisition, development and maintenance. The complete list of information security areas is now:
- security policy;
- organization of information security;
- asset management;
- human resources security;
- physical and environmental security;
- communications and operations management;
- access control;
- information systems acquisition, development and maintenance;
- information security incident management;
- business continuity management;
- compliance
The numbering of the security controls do not match the numbering used in the BS 7799-2:2002 standard, used for certification. Not earlier than november this year the new ISO 27001 (BS7799-2:2005) will replace the current norm document. The numbering will than be synchronized again.
Seventeen new controls have been added, including vulnerability and patch management, provision of outsourcing and external service
delivery. Other controlls have been joined together or removed completely. The number of controls is now 134. The use of risk assesment as a basis to decide ont security controls and measures is now a requirement. In the new stanard this topic is removed from the introduction and placed in a separate chapter.
ISO is on its way to adapt the set of standards for information security, earlier adopted from the british standard 7799, to the existing standards on quality assuring, like the ISO 9000 set of standards. Information security will be covered bij standards numbered in the ISO 27000 range. The first one in this range will be the update of the requirements standard (now BS7799-2), which will be called ISO/IEC 27001 (BS 7799-2:2005). Later, in 2007, the recnetly released code of practice ISO/IEC 17799 will be renamed to ISO/IEC 27002. A complete new standard, covering the area for security metrics and measurements, will be called ISO/IEC27004. A release date is not defined, yet.
There ar no localized versions of the new standard, yet. E.g. the Dutch NEN 17799 or the adaption to Dutch legislation (ADV7799:2004 nl)
Consequences
If the new BS 7799-2 is released in November, this will be the only basis for certification or recertification. There may be some transition time, but this is decided by the local certification body and this has not been published, yet. Meanwhile, if you need to certify before the release in November, you need to use the current BS 7799-2, but now with the new controls published in ISO 17799:2005. this because of the fact that the old ISO 17799:2000 has been wthdrawn.
Evaluations of security management practice at client sites need to be done on the basis of the new code of practice. This means that the tools used for these evaluations need to be adapted. New formulated security policies, for which the client requires to be in line with the code, need also to be adapted to the new situation.
The impact of the new code is not too big, as attention to patch management and incident response was already paid in practice. But as certification processes are very precise it is good to get a good notion of the new standard when you coach a client to certification.
