ISO 17799 - Information Security Management

Significant confusion surrounds this standard, largely due to historical naming. This page may perhaps clarify some of the issues with respect to this.

ISO 17799 is NOT a Systems Management Standard. It IS a code of practice for information security. It lists and details a large number of security controls, which may be selected and applied. It has ALWAYS been a code of practice.

Perhaps the confusion arises from the fact that there is a closely related standard to ISO 17799: namely ISO 27001. This IS a Systems Management Standard. It is intended to work with ISO 17799. It neither replaces it, nor supersedes it. It is also the standard against which certification is offered.

Both of these standards stem from BSI publications. ISO 17799 evolved from BS7799-1, and ISO 27001 evolved from BS7799-2. This perhaps, to some degree, is the cause of the confusion. This may be alleviated when ISO 17799 is renamed to ISO 27002 later in 2007.

This section of the Quality Network is still being developed. We intend to dedicate a significant area to both the above standards, which will include an FAQ and implementation advice. Please call back soon.

Pending completion of this section, the following general sites provide useful background on this standard:
ISO 27002 / 17799 Central
ISO 27002 & ISO 27001 User Group
ISO 17799 News

Return to the Quality Network

Last modified February 2007
We have been serving
the community
since February 12th 1996
Thank you for visiting