Frequently Asked Questions about ISO27002 (ISO17799)
It is an ISO
standard defining a 'code of practice' comprising statements of generally accepted good practice for maintaining information security.
Originally, in December 2000. It superseded British Standard BS7799 Part 1, first published by the British Standards Institute (BSI
) in 1995. Apart from the name and trivial details, the bulk of BS7799-1 became word-for-word the same as ISO 17799
. ISO 17799 was revised and reissued during 2005, and then renamed to ISO 27002 in 2007.
Who wrote the original document?
/DISC committee including representatives from a cross section of industry. Legend has it that the original code of practice was based largely on an internal information security manual from a generous oil company, to whom we all owe a debt of gratitude.
Is the standard linked to a national legal framework?
No. ISO 27002
is an international standard and thus not tied to a particular country's legislation. A number of countries have adopted localized variants of the standard but, in most cases, these are simple translations of ISO 27002
What parts of the standard are mandatory
For ISO 27002
, none. ISO
standards are voluntary. Suitable information security controls are selected by the organization to address control objectives deemed in scope as a result of an information security risk assessment.
For certification against ISO 27001
, clauses 4, 5, 6 and 7 are considered mandatory. The standard itself is voluntary but may be mandated by prospective business partners.
was the British Standard Specification for Information Security Management Systems. It was superceded by ISO 27001:2005.
This is the 'Plan-Do-Check-Act' quality assurance process incorporated within BS7799-2
and ISO 27001. It is designed to achieve continuous improvement of information security management.
How many organizations are certified against BS7799-2 or ISO 27001?
This was approaching 2000 at the end of 2007 and is growing strongly.
How do we become certified against the standard?
It is not possible to be formally certified against ISO 27002
. It is only possible to be formally certified against ISO 27001. Whilst anyone can assess and self-certify themselves or a third party against the standard, only certificates that are issued by an Accredited Certification Body
following formal certification assessment processes are generally recognized. You will need to follow the implementation plan outlined elsewhere on this site (Guide To Certification
), and ultimately contact an Accredited Certification Body
for the certification process itself.
How can I scope my ISO 27001 certification? What are the Options?
You may restrict the scope of an ISO 27001 certification by specific business processes, sites, departments etc., or certify the entire organization. The scope must be clearly specified - the convention is to do this within a Statement of Applicability
(SOA) that accompanies the certificate. You can not be certified without an SOA (ISO 27001:2005 4.2.1.j).
Can a certification body assist with implementation?
No. There is clearly a potential conflict of interest if businesses or individual consultants involved in advising an organization are subsequently involved in the formal certification assessment.
Will there be a revision?
Yes. As with all major standards, ISO 27002
and ISO 27001 are periodically reviewed and updated. The 2005 revision of ISO 17799
, for example, introduced new sections for risk analysis and incident management, and a number of other changes throughout the standard. Further, ISO 17799 itself was re-badged as ISO 27002
What is ISO/IEC Guide 62?
is the ISO version of what used to be called BS7799-2
. It was last published in 2005.