ISO 17799 2005 Released Today

[Jade5]

Just a quick heads up: The new version of ISO 17799 has finally been published.

For anyone unaware, this has been worked on for quite a long time, and replaces the 2000 edition with immediate effect.

It includes an extra chapter, and much of the existing content has been re-worked or extended.

It's available from the usual places, incuding BSI's 'Standards Direct' (standardsdirect.org/iso17799.htm) and as part of the ISO 17799 Toolkit (iso17799-made-easy.com).

Jade

[lemp]

Hi Jade.

How does this release impact to the BS 7799:2 registration process?. Do we have to wait for BS7799:2:2005?

Best Regards

-luis

[Jade5.]

Luis,

I've looked at this and there seems to be no impact on the registration process.

However, the new ISO 17799 does seem to prepare some ground for the new release of BS7799, which as you may be aware, is expected later this year.

So basically, no change... yet.


Jade

[Knersus]

If your planned date of certification occurs before release of the New Standard, your Statement of Applicability must conform to the Old Standard for your certification.
If your planned date of certification is after release of the standard, your Statement of Applicability will need to conform to the New Standard at certification. Any current ISMS projects aimed at achieving certification after release of the New Standard should consider starting the conversion process now.
If you have an existing ISMS which is due for re-certification after the release of the New Standard, you will have to convert your ISMS so that it complies with the New Standard before you can be re-certified.

Best regards,

Knersus

[whiteHippo]

hi Knersus,

Any official note regarding the certification process that you'd mentioned?

cheers,
lorraine

[Mastman888]

The certification (or re-certification) process will be similar to that of the ISO 9000:94 to 9000:2000 transition. At some point the "old" certificates will cease to be valid and the ISMS will eventually need to be adjusted to the new standard (Quote from BSI: "Once BS ISO/IEC 27001 is published the old BS 7799-2:2002 will be withdrawn. For those certified to BS 7799-2 there will be a transition period.")

So:
- If you're already audited/certified according to BS7799-2:2002 you will have enough time to adjust your ISMS to the 27001 requirements.
- If you're near completion of your ISMS and are planning an audit/cert, I would suggest waiting for the 27001, adjust your ISMS (based on 17799:2005) and going for the new standard certificate. This would be much easier than re-working a BS7799-2 certified ISMS.
- If you're in the early stages, there's no real problem as you are probably using the 2005 version of 17799 and have plenty of time to create your ISMS according to the new standards and requirements.

Hope this helps.

Rob
CISSP

[whiteHippo]

Thanks Rob for the clear explanation.

For those just got certified to BS7799-2:2002, what is the transition period to BS ISO/IEC 27001?

cheers,
lorraine

[Mastman888]

lorraine,
Judging from the 9000 transition, there should be ample time. The 9000:2000 standard was released in December 2000 and all "old" certificates (1994-based) ceased to be valid on 1/1/2003, so that gave people a good two years to adjust.
Also, note that 27001 has not been released yet (expected November 2005), so as soon as that happens, there will be more definite transition-end dates both from BS and ISO.
If I were you though, I would start planning the initial "generic" steps of the transition (assuming from your question that you have recently certified an ISMS). This may also include transition presentations/training offered by most national standards bodies or reputable certification bodies (BS and BVQI respectively pop to mind). These sessions are usually a day long and include mappings of the differences between the old and new standards and you get a pretty good idea of what the transition is all about (and how auditors will handle it!).

Cheers,
Rob, CISSP