The BS 7799 ISMS was not the first one to be proposed as an ISO standard. The original version, BS 7799:1995 was submitted in the summer of 1996 but was narrowly defeated. Those countries who voted in its favour were not dismayed, however. Australia and New Zealand for example recast it (by changing the UK legislative references to corresponding Australian and New Zealand references) and re-published it as AS/NZS 4444. The Netherlands embraced it wholesale and established a certification scheme, which went live early 1997. This international interest encouraged the British to develop the standard further.
Certification Schemes
Indeed, much to the British chagrin, the Dutch were the first to establish a certification Scheme. It included revolutionary ideas on entry and advanced level certification, and self as well as third party certification. The “advanced level” certification recognized that in real life it might be necessary to apply safeguards other than those listed in BS 7799. BDD/2 applauded this idea, and married it with its own ideas on third party certification to create the “c:cure” scheme.
BS 7799 Part 2
Because BS 7799:1995 was a code of practice, how could an assessor associate a pass or fail verdict? Indeed, if non-BS 7799 controls could be included, how would an assessor know which safeguards were to apply and which were not. The answer lay in the creation of BS 7799 Part 2 which spells out precisely what an organization and the assessor need to do in order to ensure successful certification.
Almost by accident, the creation of Part 2 led to the dramatic conclusion that the concept of an ISMS is perhaps of far greater and fundamental importance than the original Code of Practice. By the inclusion of a variety of feedback loops (as shown in the slide on the right), an ISMS allows managers to monitor and control their security systems thereby minimizing the residual business risk and ensuring that security continues to fulfil the corporate, customer and legal requirements.
Less than two years after its creation, the UK “c:cure” certification scheme found itself challenged by alternative schemes predicated on EA7/03, a document entitled “Guidelines for the Accreditation of Bodies operating Certification/Registration of Information Security Management Systems”. This is a document agreed and recognized throughout Europe and the members of the European co-operation for Accreditation. It has formed the basis of various third party audits undertaken within the USA, mainland Europe, Africa and the UK and is recognized in other parts of the world. In view of the wider acceptance of EA7/03, as of 2nd October 2000, the DTI withdrew its support for c:cure and the effectively the c:cure scheme has been terminated, to be replaced by the internationally accepted norm.
The Creation of ISO/IEC 17799
Following the publication of BS 7799:1999 in April 1991, Part 1 of this new version of the standard was proposed as an ISO standard via the “Fast Track” mechanism in October 1999. The international ballot closed in August 2000, and received the required majority voting. In October 2000, eight minor changes to the BS text were approved and the standard was published as ISO/IEC 17799:2000 on 1st December 2000.