The International Organisation for Standardisation (ISO) will change the old ISO / IEC 17799:2005 code of practice for information security management to ISO / IEC 27002 in April 2007.
This follows the renaming of the BS 7799-2 specification to ISO 27001 in 2005.
According to Craig Rosewarne, recently appointed Executive Director at Analytix (www.analytix.co.za) and Chairman of the Information Security Group of Africa (www.isgafrica.org): "This is in line with ISO's move to number the 27000 series of information security management standards in a similar fashion to the very successful ISO 9000-series of quality assurance standards."
The following ISO 27000-series standards are either published or planned:
* ISO 27000 - will contain the vocabulary and definitions, ie terminology for all of these information security management standards.
* ISO 27001 - is the information security management system requirements standard (specification) against which organisations are formally certified compliant (previously BS 7799 part 2).
* ISO 27002 will be the new name for the code of practice for information security management currently known as ISO 17799 and formerly known as BS 7799 part 1. ISO 27002 will provide a catalogue of best practice for information security management, and is not a certification or auditable standard.
* ISO 27003 - will be an implementation guide.
* ISO 27004 - will be an information security management measurement standard to help measure the effectiveness of information security management system implementations.
* ISO 27005 - will be an information security risk management standard (will replace BS 7799 Part 3).
* ISO 27006 - will be a guide to the certification/registration process for accredited ISMS certification/registration bodies.
"We are seeing a strong demand for training and consultancy services around ISO / IEC 17799 and 27001 as both public and private organisations seek to increase their information security," states Rosewarne. "It really makes sense to comply with and adopt a proven standard. Why try and re-invent the wheel when a standard provides proven best-practice from the combined recommendations of thousands of information security professionals around the world."
However, Rosewarne recommends that before adopting a standard such as ISO / IEC 17799 and 27001 into your organisation, consideration needs to be given to:
* Aligning the project with the business objectives of your organisation.
* A clear scope of which information assets you wish to protect.
* Complementary frameworks such as COBIT / ITIL, etc, to avoid duplicating tasks.
* How this will assist with compliance to both local and international legislation such as SOX, ECT Act, etc, where applicable.
"This is where the Analytix approach is gaining popularity among many organisations in Africa. We are planning to rework our ISO 27000 training courses to incorporate the ISO 27002 best practice. The objective of the Analytix information security training is to provide attendees with the necessary skills to develop an information security framework for their organisation based on the ISO 27001 specifications. "Attendees will learn how to assess and protect their business against threat and vulnerability, as well as how to evaluate their organisation's information assets and implement a cost-effective security strategy that is compliant with the soon to be published ISO 27002. Attendees will also learn how to benchmark their security practice within their company against this standard," says Rosewarne.
Share