Introduction to the

ISO 27000 series

• ISO 27000 – principles and vocabulary (in development)

• ISO 27001 – ISMS requirements (BS7799 – Part 2)
• ISO 27002 – (ISO/ IEC 17799:2005) from 2007 onwards
• ISO 27003 – ISMS Implementation guidelines (due 2007)
• ISO 27004 – ISMS Metrics and measurement (due 2007)
• ISO 27005 – ISMS Risk Management
• ISO 27006 – 27010 – allocation for future use
 ISO 27000: Principles & Vocabulary

• This standard will explain the terminology for all the 27000 series
family of standards
• This development will address global concerns on definitions that
vary from country to country – so consistency will be established
• Hopefully these principles will impact on other standards like
COBIT(IT Processes) and ITIL (IT Service Delivery) and avoid any
confusion
 ISO 27001: ISMS Requirements
• ISO/ IEC is progressing an ISMS standard based on BS7799 Part 2
– With some improvements and changes
– Annex B (Implementation Guidance has been removed) this will become 27003
– At the final stage of editorial balloting
– Estimated publication date November 2005
• Once ISO 27001 is published BS7799 Part 2 will be withdrawn
• Interim Period (Now until November 2005)
– The technically stable version ISO/IEC FDI 27001 is likely to be available for
purchase from BSI.
– BSI have quoted ‘those purchasing the FDIS version now will get a copy of the ISO
version when published’ (estimated to be November 2005)
 ISO 27001
ISMS Requirements
BS 7799 Part 2: 2002 (Clause No)
1.2 Application
3 Terms and Definitions
4.2.1 Establish the ISMS
Item a) Define the scope of the ISMS
Item c) Define a systematic approach to
risk assessment
Item g) select control objectives and
controls for the treatment of risks
ISO/ IEC 27001:2005 (Clause No)
1.2 Application
3 Terms and Definitions
4.2.1 Establish the ISMS
Item a) Define the scope and boundaries of the
ISMS
The second sentence in Item c) Define the risk
assessment approach of the organisation’ has
been deleted and a new sentence added
Item g) select control objectives and controls for
the treatment of risks has been extended
Comments and interpretation on changes and differences
The ‘Application’ clause has been re-organised, so that the first
paragraph concentrates on the fact the exclusions from Clauses
4 – 8 of ISO/IEC 27001 are not acceptable, and the second
paragraph concentrates on explaining the conditions under
which the control exclusions are possible. The content of and the
requirements in this clause have not been changed.
New definitions have been added from ISO/IEC 13335-1:2004,
ISO/IEC TR18044:2004 and ISO/IEC Guide 73:2002. some of
the existing definitions have been modified to align with the
standard ISO/IEC 13335 – 1:2004. The definitions of ‘risk
treatment’ and ‘statement of Applicability have been modified for
clarification purposes.
Remains the same
This clarifies that the scope and boundaries of the ISMS shall be
defined to ensure that details of and justification for any
exclusions from the scope are included, with a reference to
clause 1.2 Application of this standard.
The second sentence of Item c) was deleted. The rest of the text
remains and a new sentence has been added to provide a
clarification of and addition to the existing requirement, stating
that the risk assessment method selected shall produce
comparable and reproducible results.
This is clarification of and addition to the existing requirement
addressing that the selection shall take account of the criteria for
accepting risks (4.2.1c) as well as legal, regulatory and
contractual requirements.
 ISO 27001: ISMS Highlights
Clarifies and improves existing PDCA process requirements
– ISMS scope (inc. details & justification for any exclusions)
– Approach to risk assessment (to produce
comparable & reproducible results)
– Selection of controls (criteria for accepting risks)
– Statement of Applicability (currently implemented)
– Reviewing risks
– Management commitment
– ISMS internal audits
– Results of effectiveness and measurements
(summarised statement on ‘measures of effectiveness’)
– Update risk treatment plans, procedures and controls
 ISO 27002: ISO/IEC 17799:2005(from Nov05)
• 11 sections specify 39 control objectives to protect information assets
• Provides 134 best practice controls that can be adopted based on a risk
assessment process – but leaves an organisation free to select controls
not listed in the standard – giving great flexibility in implementation
(but challenging for certification bodies!)
• New recommendations cover :
- security of external service delivery & provisioning of outsourcing
- patch management and other current issues
- security prior to, during and at termination of employment
- guidance on risk management, and a section on incident management
- mobile, remote & distributed communications & information processing
 ISO 27003 : ISMS Implementation Guidelines
• A new (JTC 1/SC27) project on implementation
guidelines to support the new requirement
specification standard
• Annex B of BS7799 Part 2 is the basis:-
- overview
- management responsibilities
- governance & regulatory compliance
- personal security & human resources
- asset management
- availability/continuity of business processes
- handling information incidents
- access control
- risk management case studies
 ISO 27004 : Metrics and Measurement
• ISO/IEC has a new project to develop an
ISMS Metrics and Measurements Standard
• This development is aimed at addressing
how to measure the effectiveness of ISMS
implementations (processes and controls)
– Performance targets
– What to measure
– How to measure
– When to measure
 ISO 27005: ISMS Risk Management

• A new standard on ‘Information Security Risk Management’ – an

ISO version of the soon to be published BS7799 Part 3
• This standard is being drawn up by the DTI/Cabinet Office – with
significant input from CSIA (central Sponsor for Information
Assurance) – draft for consultation came out in July 2005 with
consultation period finishing in October 2005
• Will be linked to MITS-2 - a new management standard for ICT risk
management – currently in development
 ISO 27000 series : Benefits/Obstacles
BENEFITS
• Alignment to ISO 9000 series on Quality Management
• Ensured a level of consistency in IS Management
• International cohesion
• Professional acknowledgement
• Governance Benefits
OBSTACLES
• International acceptance & take-up
• Nation state support & agreement