Why are the ISO 27000 Standards Important to Organizations?
I think back to the early 1990′s when the ISO 27001 first began in the Department of Trade and Industry as part of the UK Government as a code for information security management. Times were much different twenty years ago and certainly the risk and threat landscape was radically different. I remember working as a technology consultant in the mid 1990′s as a Unix systems expert and writing shell scripts to keep 2400 baud modems connected to the Internet. Companies asked me to get them connected to the Internet so they could see what the Internet was all about. Organizations asked me to develop web pages for their company and publicize their company, having no idea what type of threats and changes were right around the corner.
In just a few short years the technology ecosystem and threat landscape literally changed right before our eyes and it has increasingly become more complex and dangerous. These experiences and having participated in the evolution of risk over the last 20 years is a fundamental reason why I have a strong grasp and commanding knowledge of the current threat landscape. I don’t have to read about it in a book, I lived it. I think back when I wrote a technical overview of penetration testing for the SANS Institute and how in some cases very little has changed, but the sophistication of attacks and black hat methods have continued to evolve. In that same year, I wrote about advanced incident handling, and hacker exploits for the SANS Institute discussing the various issues, vulnerabilities and exploits commonly associated with port 80 which is commonly used by web servers to allow clients access to various types of information over the Internet. I see many of the same mistakes being made by organizations over a decade later. Fast-forward a decade and experts like Joel Brenner, former inspector general of the National Security Agency, head of counterintelligence for the director of national intelligence is telling us that America companies are bleeding their intellectual property at an alarming rate, especially to the Chinese. I believe the ISO 27001 and body of ISO 27000 standards are foundational to a solid information security and risk management program for all companies in every industry.
By 1995 the original Code of Practice for Information Security Management had became the BS7799, the British Standards Institute Information Security Management System. This iteration had implementation guidance. In 1999, major revisions were launched and the first certifications were offered via BSI and LRQA. Within a year, in 2000, the BS7799 was fast-tracked to the ISO/IEC 17799 Information Technology Code of Practice for Information Security Management and in 2001 the first ISO 17799 Toolkit was launched.
In 2002, a second part to the standards was published as the BS7799-2 as the Information Security Management Specification and this began the process of alignment with the ISO body of management of standards. This step was the fundamental step to get us to where we are now with the ISO 27001, 27002, 27003, 27004, 27005, 27006, etc.
In 2005, as business and the threat landscape continued to morph at an incredible speed along with the adoption of the Internet into every major business plan, a new version of the ISO 17799 was published with new sections and closer alignment to the BS7799-2. In that same year, the BS7799-2 was published as the ISO 27001 and the BS7799-2 was withdrawn. This was a major milestone because the ISO 27001 (Information Security Management System) was now aligned to the ISO 17799 and was also compatible with the large body of ISO standards such as the ISO 9001 and ISO 14001.
Since that time, the ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an international body has met twice a year and continued to evolve and publish new standards at record paces to try to keep up with the changes in the risk management and business landscape.
To read more about the current versions of the ISO 27000 suite of standards refer to the sections below.