Evaluating the New ISO 17799 Standard

ISO 17799, the world’s most-used information security framework, gets updated.

The world’s most-used information security framework has been updated.

The International Organization for Standardization (dubbed the ISO) and the International Electrotechnical Commission (IEC) announced the release of a new version of ISO 17799, officially known as ISO/IEC 17799:2005 (Information Technology—Security Techniques—Code of Practice for Information Security Management). The original version of ISO 17799 was released in 2000 and was adapted from the first part of British Standard (BS) 7799, which had been released in 1995. (Notably, the second part of BS 7799, covering certification, was not used.) The ISO will withdraw the original version of 17799.

What’s different in the second version? Overall, “the revised version of this standard provides organizations with many state-of-the-art additions and improvements in information security best practices,” says Ted Humphreys, the convener of the ISO/IEC working group that developed ISO 17799. He says the new version of the standard “establishes a truly international, common language for information security for all organizations around the world to engage with each other to do business.”

Even so, not all organizations or governments will necessarily buy in. From its inception, ISO 17799 has attracted its share of criticism. All G-7 nations but one (Britain) voted against its becoming a standard, yet its popularity among smaller countries led to a fast-track ratification, says Michael Rasmussen, an analyst for Forrester Research. “The controversies center on semantics, the standard’s focus on large centralized organizations (as opposed to small or decentralized organizations), the lack of guidance in risk management and analysis, and legislative incompatibilities in certain countries,” including some relating to privacy.

That’s why soon after the standard’s release, a working group already began revising it. “The original standard had some weak areas, which have been addressed in the second version,” says Rasmussen. “The revised version keeps the majority of the structure and content of the previous versions but significantly expands information security guidance to provide a much more complete and well-rounded standard.”

According to Humphreys, the improved guidance includes “better management of security arrangements with external businesses, outsourcing and service providers; enhanced incident-handling capability; dealing with problems of patch management, mobile devices, wireless technologies and harmful mobile code via the Internet; [and] improvements in best practices [for] managing human resources.”

The new 17799 also better addresses risk management. “While mandating risk assessment, neither BS 7799 nor ISO 17799 gives detailed guidance in how risk assessments are to be conducted,” says Rasmussen. The revised ISO 17799, however, now has a tie-in to ISO 13335 (Information Technology—Security Techniques—Management of Information and Communications Technology Security).

Even so, the standard is only a framework. “It gives organizations guidance about scope and breadth, but it does not provide the depth of a strong information security program,” he says. Furthermore, as a code of practice—it defines best-practice controls—the standard is not a requirement specification like BS 7799. Hence ISO 17799 uses the word “should,” while BS 7799 uses the word “shall,” since organizations can use it for accreditation.

Indeed, the ISO emphasizes that 17799:2005 is not suitable for use as a security certification standard. The forthcoming ISO 27001 (Information Security Management System Requirements), scheduled for release in November 2005, however, could be used for certification. It’s a new version of BS 7799 Part 2 (which was last updated in 2002), and will include tie-ins to ISO 17799. Experts expect it, in conjunction with the new version of ISO 17799, to compete with and perhaps replace BS 7799.

Related Articles:

Survey: CEOs Crave Better Perimeter and Access Controls
http://esj.com/security/article.aspx?EditorialsID=966

Best Practices: Staying Ahead of International Regulations
http://www.esj.com/news/article.aspx?EditorialsID=701

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.