Information Security based on ISO 27001 and ISO 17799:
A Management Guide


This management guide looks at IT Security management with reference to the ISO standards that organisations use to demonstrate compliance with recommended best practice. The reason for developing ISO17799 as an international standard for information security management was originally described by BSI on their website as follows:

‘Many organisations have expressed the need to have a common standard on best practice for information security management. They would like to be able to implement information security controls to meet their own business requirements as well as a set of controls for their business relationships with other organisations. These organisations see the need to share the benefits of common best practice at a true international level to ensure that they can protect their business processes and activities to satisfy these business needs’. (BSI-DISC website)

The ISO/IEC 17799:2000 Code of Practice was intended to provide a framework for international best practice in Information Security Management and systems interoperability. It also provided guidance on how to implement an ISMS that would be capable of certification, and to which an external auditor could refer.

It did not provide the basis for an international certification scheme. Only BS 7799-2 – and now ISO 27001 - can do that. ISO 17799 also provides substantial implementation guidance on how individual controls should be approached. Anyone implementing an ISO 27001 ISMS will need to acquire and study copies of both ISO 27001 and ISO 17799. ISO 27001 mandates the use of ISO 17799 as a source of guidance on controls, control selection and control implementation.: