ISO 17799 and ISO 27001 Newsletter Edition 11

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Edition 11 of the ISO 17799 / ISO 27001 Newsletter has today been
released. It basically launches a new 'Interview' section, which
interviews the prime movers behind these standards.

Hopefully it will be of interest, even to those not usually concerned
with standards.

All the best,





Many people have questioned recent changes and proposed changes, with
respect to both ISO 17799 and BS7799. With so much happening in a
relatively short period, it was perhaps inevitable that confusion would
arise. Hopefully, we can clarify this and explain how events are likely
to unfold.

Essentially we had an 'upgrade' to ISO 17799 in June of this year. This
has been published and is now current. This event was part of the
normal sequence of events for standards, which do not tend to be static

Perhaps the bigger changes, conceptually, are in the future. These are
framed by the intention of re-numbering the standards so that they are
sequentially aligned. ISO has set aside the numbers from ISO 27000 to
support this. These are now specifically reserved for information
security standards.

The current intention is as follows:

ISO 27001
This will be the number given to the revision of the current BS7799-2
standard. This is the requirements document for an information security
management system (ISMS). The current state of play is that the final
draft has been available for comment for some time, and can indeed be
purchased. The final published version is expected later in the year.

ISO 27002
This number is actually earmarked for ISO 17799 itself (ie: Security
Techniques - The code of practice for information security management).
At some point in the future, possibly with a revision, 17799 will
become 27002. This change is not imminent.

ISO 27003
This is set aside for a new standard/document covering risk management.

ISO 27004
This number will be assigned to a standard covering Information
Security Management Metrics and Measurements (how, what and when to
measure ISMS processes and controls). It is not expected until 2007 at
the earliest.

ISO 27005
This is likely to provide implementation guidelines, with a potential
publication date of mid 2007.

As part of the overall process, a BS7799-3 standard is being developed,
and has a planned publication date of the very end of this year, or
early next year. It is expected that this will evolve into the above
ISO 27005.


The standards currently published and available are ISO17799:2005 and
BS7799-2:2002. Also available is the final draft of ISO 27001, known as
the FDIS edition.

However, with BS7799-2 due to be withdrawn on final publication of ISO
27001, two standards bodies have decided to provide the final draft of
ISO 27001, with free provision of the final version when it is
published. These are BSI and SNV.

The respective sites from which to obtain all these documents are:



Both these sites also offer a version of the ISO 17799 Toolkit (the
main support resource for the standard) inclusive of ISO 27001, with
the same upgrade arrangement in place.


David L Watson was one of the first ever certified BS7799 Auditors,
possibly THE first, and is one of the most well known names in the
entire information security industry. In an extensive interview, we
covered a full array of issues: an overview of the early audit schemes;
the IRCA scheme; how certification actually works; what the most common
mistakes are; implementation tips; the future of the standard; and much

This proved to be an extremely enlightening session, with full details
produced and recorded. You can read the entire interview on the archive
site of this newsletter: /

This was an exceptional interview and well worth the read for anyone
even remotely interested in the standard.


Now that the publicity glare is diminishing, attention and focus of
businesses is turning towards the business continuity planning
implications of this disaster.

For general analysis, some matters are already certain, such as the
importance of considering ALL types of potential scenario during the
BIA and risk analysis phases (with resultant implications for
planning). This aspect is actually very well documented within Section
14 of ISO 17799:2005. However, even nitty gritty type controls, such as
off-site backup in a secure REMOTE location are tested by this sort of

Disasters such as Katrina are very much a wake up call for the
majority. The unforeseen and unexpected CAN indeed happen, and too
often with devastating results. Businesses should, however, heed the
lessons long after the media have moved on to the next story. We will
be returning to this issue in future editions of the newsletter,
applying particular focus to the planning exercise itself.

NOTE: If any subscribers were affected by this tragic event, we'd like
to hear how your BCP stood up to the test: basically what went right
and what went wrong. Please contact us via the email address below.


BSI, the British Standards Institution, is the oldest standards body in
the world. It has in fact published over 20,000 standards and has
operations in more than 100 different countries. Not surprisingly, the
prefix for its standards is 'BS'. Which of course brings us nicely
around to BS7799.

BSI published the first version of BS7799 in 1995. Perhaps slightly
confusingly, this version went on to become ISO 17799, and a new,
different, BS7799, named BS7799-2, was published in 2002, covering the
requirements for an ISMS as explained above. BSI therefore has had a
key and defining role throughout the history of the standard, being
very much a driving force.

In this interview, we ask BSI about the history, their current role,
the life cycle of a typical standard, and about the forthcoming
BS7799-3 standard.

Again, the details can be read in our new Interview Section: /


- A survey by Computer Security Institute (CSI) and the FBI indicates
that whilst the average loss per cybercrime incident is decreasing, the
number of incidents is still increasing. [ISO 17799 Sections 10 and 11:
Communications & Operations Management and Access Control]

- A man has been arrested in San Fransisco for possession of stolen
property: a laptop PC holding personal information on almost 100,000
Berkeley University students. It was apparently stolen from the inner
offices of the 'Graduate Division' whilst unattended during a lunch
period.  [ISO 17799 Section 9: Physical & Environmental Security]

- A recent survey for instant messaging company, Akonix, indicates that
around 45% of US IT executives expect to fail to meet the
Sarbanes-Oxley Act deadlines in 2006. [ISO 17799 Section 15.1:
Compliance with Legal Requirements]

- The UK Government has been criticized after a document outlining new
anti-terror measures was emailed to opposition parties... with the
'meta data' still in place. This contained earlier amendments which
caused significant embarrassment. Meta data distribution is actually a
VERY common exposure in business circles. [Sections 8, 10, 11: HR
Security, Communications & Operations Management, and Access Control]

- A study by Trend Micro indicates that users are still more likely to
click on suspicious web links at work than at home! [Section 8: HR

- The US Air Force has had to notify over 30,000 of its personnel that
their personal data had been exposed, after a legitimate user's login
information had been compromised. [Section 11.2: User Access

- USB storage devices continue to increase in popularity.
Unfortunately, a recent survey reveals that almost 20% of company data
is left unencrypted when copied to one. [Section 12.3, 8: Cryptographic
Controls, HR Security]

- Industry News: Symantec seems to have embarked on a sustained
programme of acquisitions, recently adding WholeSecurity, Sygate and
Veritas to its list of pending deals.


The International ISO 17799 User Community was the first truly
international online user group built specifically to support ISO
17799. It is also the biggest dedicated such group in the world, with
representation from every major nation. It is a rapidly growing
community, with free membership, and a vibrant unparalleled online
forum (current location ).

This interview was conducted with the senior administrator and
moderator of the forum, Kate Hartley. It explores the background to the
user group, the inherent problems of running such an entity, and the
future of the group.


Not too long ago service level agreements (SLAs) were the exception,
rather than the norm. Fortunately, however, most organizations are now
aware of the importance of these documents and related contracts.
However, it is equally clear that far too many SLAs are woefully
inadequate, both in terms of quality and supporting procedures. This
can be a real Achilles heel and significant risk.

Quite simply, an SLA is essential, in security terms, to govern and
define the receipt of all critical services. It should identify not
only what security measures are in play, but matters such as what
happens when there is a breach (for example, who is responsible for
what actions).

The same applies to service availability. This is sometimes covered in
its own specific schedule within the agreement, and is often the most
difficult aspect to agree. However, from a business continuity
viewpoint it is critical that it properly meets the needs of the
service recipient.

Then there are changes to the SLA itself. How are these governed? The
SLA is an important document, and controls must be applied to ensure
that changes, and their implications, are formally and properly
considered, and signed off at the correct level. See issue 9 of this
newsletter for more information on this aspect.

The ISO 17799 Newsletter has a long history of stressing the importance
of a quality SLA, and makes no apologies for doing so. Too often we see
organizations applying significant effort on direct security controls,
but missing this important potential vulnerability. This blind spot has
been the cause of countless security breaches and losses in the past...
hopefully the future will continue to see this exposure reduced.


Regular readers will be aware that every edition of the ISO 17799
Newsletter ends with several true but slightly bizarre examples of
serious security breaches. As this is a special concise edition, we
would simply draw attention to a little trivia in the form of a poll of
the best previous stories. You can select your favorite "It couldn't
happen here, could it?" and vote for it on the following page:


Contributions: If you have a burning desire to say something on ISO
17799 or ISO 27001, or have some useful information, please feel free
to submit your contribution to us.

ISO 17799 and ISO 27001 News

Site Timeline