The international standards used as baselines to certify security best practice are changing. Now in their tenth year, the BS7799 standards provide a framework for defining and delivering infosec management systems.
The BS7799 and ISO17799 standards will be replaced with a new set of standards that reflect the changing needs of modern IT security, said Ted Humphreys, chairman of the ISO/IEC working group.
BS7799-1 covers best practice and guidelines for managing security, and sets the basis for the ISO 17799 standard. BS7799-2 is the standard against which organizations are tested for compliance.
The new versions will include standards for incident response, vulnerability and patch management, and "external risks," including suppliers, customers (and their data), outsourcing and service-level agreements, added Humphreys.
These will then be published in ISO versions, but not as a revision of 17799. A sweeping revision of the ISO infosec standards is scheduled, with a new 27000 category to be implemented. 27001 will be the first member, based on BS7799-2, and 27002 will follow, incorporating BS7799-1. 27004 will cover metrics and measurement (currently "Annex B" in the BS standard, which is omitted from ISO 17799). This brings the standards in line with the ISO structures for areas such as the 9000 family for business practice and 14000 for environmental issues.
When 27001 is finalized, BS7799-2 will be shelved, requiring new certification for firms that have been through the process, something Humphreys acknowledges might cause difficulties, not least because the industry has spent ten years getting accustomed to the 7799 name.
Humphreys expects a dramatic increase in certification once the new ISO standards are available, particularly with the growing demand for audited compliance-compatible controls."