From “comp.security.misc“, by Sue Thomas:
ISO 27001 has, after months in final draft, finally been published as an official ISO standard.
This particular standard defines an ‘Information Security Management System’ (commonly known as an ISMS), and compliments the existing ISO 17799 standard. It basically specifies a best practice framework for the design and maintenance of information security processes within anorganization.
The two standards are closely aligned and interlinked, but have very distinct roles:
This lists many hundreds of individual and detailed security controls, which may be selected as part of the security management system.
This specifies the overall requirements for the security management system itself. It is this document, as opposed to 17799, against which a certification route is offered. ISO 27001, which was built upon an earlier version of BS7799, has also been made more compatible with other management standards.
THE GLOBAL IMPACT
The publication of the new standard is likely to herald a rapid increase in interest in both information security generally and
certification specifically. Organizations already certified via BS7799-2 will take a transitional route, whereas the international
status of the new standard is certain to have an impact on the numbers following the certification or compliance route.
This has already started to manifest itself in terms of the record number of pre-orders for the new standard, and the recent membership increases of the Online ISO 17799 User Group (located at http://www.17799.com).
The new standard can be obtained via: StandardsDirect (BSI): http://17799.standardsdirect.org
It will also be available via SNV shortly from the following page: Standards Online:
Finally, the support kit for the standard has also been updated to reflect todays changes: http://www.17799-toolkit.com
Additional information on both these standards can be obtained from the ISO 17799 News website at: