BS ISO/IEC 17799:2005 - Frequently asked questions


Why do we need an international standard on information security management?

To implement information security controls to meet an organizations requirements as well as a set of controls for business relationships with other organizations. The most effective way to do this is to have a common standard on best practice for information security management such as BS ISO/IEC 17799:2005. Organizations can then benefit from common best practice at a truly international level, ensuring that they can protect their business processes and activities to satisfy business needs.


Does BS ISO/IEC 17799 contain requirements specific to the UK legal system?

No. The first version of BS 7799, published in 1995, did make reference to a number of UK legislative requirements, however recent revisions do not have these references as the text is now more general to satisfy international readership. 

BS ISO/IEC 17799:2005 is consistent with the OECD (Organization for Economic Cooperation and Development) guidelines on privacy, information security and cryptography. BS ISO/IEC 17799:2005 best practice controls are described in a way that can be implemented in a variety of legal and cultural environments. For example, BS ISO/IEC 17799 does not prescribe particular solutions to protection of IP or personal data privacy. It does however specify the security objectives that need to be achieved whatever the implementation circumstances.


Does BS ISO/IEC 17799:2005 imply mandatory international certification?

No, it does NOT imply a mandatory international certification scheme. As organizations interconnect electronically there is a clear benefit in having a common framework for information security management. The standard can help build trust between trading partners and provides a common benchmark for assessing an organization's information security management system (ISMS).

Those organizations that require their management system to be certified should use BS ISO/IEC 27001:2005 (BS 7799-2:2005). Going for certification is a business decision and not something based on or mandated by an international standard.


Doesn't GMITS overlap with BS ISO/IEC 17799:2005?

There is NO overlap between GMITS and BS ISO/IEC 17799:2005; the two documents are complementary to one another. GMITS provides a framework for thinking about managing IT security whereas BS ISO/IEC 17799:2005 specifies a set of controls to implement the ideas given in GMITS. GMITS discusses high level concepts about IT security management whereas BS ISO/IEC 17799:2005 specifies a comprehensive range of controls for the development of an information security management system.

GMITS also introduces general requirements and techniques for risk analysis and management. BS ISO/IEC 17799:2005 applies these techniques to select the controls most appropriate for the business needs. In fact the process defined in parts of GMITS requires that suitable controls be selected and suggests seeking specific controls from standards such as BS ISO/IEC 17799:2005. This illustrates the important complementary relationship between GMITS and BS ISO/IEC 17799:2005.


How does the Common Criteria relate to BS ISO/IEC 17799:2005?

The scope and purpose of the Common Criteria (CC) and BS ISO/IEC 17799:2005 are neither in conflict nor contradict each other. BS ISO/IEC 17799:2005 specifies controls that can be used to establish an information security management system. Some of these controls may be implemented using evaluated products. The CC addresses the evaluation of security products and systems made up of products.

Therefore organizations using BS ISO/IEC 17799:2005 might well choose to use a control based on a firewall that has been evaluated against the CC as a means of increasing assurance that the firewall control will really work as claimed. Thus BS ISO/IEC 17799:2005 and the CC are complementary and do not overlap.


Is BS ISO/IEC 17799:2005 technology independent?

YES, it is technology independent. BS ISO/IEC 17799:2005 concentrates on the management aspects of information security, defining the controls in enough detail to make them applicable across many different applications, systems and technology platforms without losing any of the benefits provided by standardization.


Does BS ISO/IEC 17799:2005 imply the need to use UK standards and methods for risk assessment?

Although BS ISO/IEC 17799:2005 is a risk-based approach to establishing effective information security it does not imply or mandate any UK standards or methods for risk assessment or risk management.  Risk assessment is now also covered in BS ISO/IEC 27001:2005 (BS 7799-2:2005)


What does accredited mean?

In the UK , the United Kingdom Accreditation Service (UKAS), operates under a Memorandum of Understanding from Department of Trade and Industry. UKAS accredit the competence of certification bodies to perform services in the areas of product and management system approval.
Similar organizations exist in other countries with responsibility for accreditation within their own national boundaries. You should always look for an accredited certification body when seeking ISO/IEC 27001:2005 certification for your organization, or when reviewing an organization's claims, to be certain that you can rely on their certificate.


What is BS ISO/IEC 27001:2005 (BS 7799-2:2005)?

This new international standard specifies requirements for establishing, implementing and documenting information security management systems (ISMS). It specifies security controls to be implemented by an organization following a risk assessment to identify the most appropriate control objectives and controls applicable to their own needs. This standard forms the basis of an assessment of the ISMS of the whole, or part of an organization and is used as the basis for the ISO/EC 27001:2005 certification.


How long does a certificate last?

A certificate will normally be valid for three years, subject to satisfactory maintenance of the system, which will be checked during surveillance visits at least annually. Thereafter, certificates will typically be renewed for a further three years.


How can I find out more?

There is also a FAQs section for BS ISO/IEC 27001:2005

 Your basket
Your basket is empty