History of an international standard revision from a Canadian perspective: ISO/IEC 17799:2005

This document is intended to provide understanding of the revision process of international standards for educational purposes. This document does not present any information on voting or the results of voting other than what can be found on the Internet. Any views or opinions expressed herein are the sole responsibility of the author. At no time should they be interpreted as opinions of CAC- ITS, SC27, ISO/IEC or any organization of which the authors may participate in.

Introduction

ISO/IEC 17799 is a code of practice. As such, it offers best practices, guidelines and voluntary directions for information security management. It is meant to provide a high level, general description of the areas considered important when initiating, implementing or maintaining information security in an organization. The document recently underwent a thorough revision which started in April 2001 and ended in June 2005 with the release of version 2005. The jISOt editors for this revision are Dr. Oliver Weissman from Germany, and Dr. Angelika Plate from the United Kingdom, two experienced and skilled IT security experts. This document presents a historical review of this revision from the internal and Canadian perspectives. This was done for educational purposes, as it serves as a good example of the standards maintenance process for a well known international standard.

What is ISO 17799?

ISO/IEC 17799:2000 addresses topics in terms of policies and general good practices. The document specifically identifies itself as a starting point for developing organization specific guidance. It states that not all of the guidance and controls it contains may be applicable and that additional controls not contained may be required. It is not intended to give definitive details or how-to’s. Given such caveats, the document briefly addresses the following major topics:

  • Establishing organizational security policy,
  • Organizational security infrastructure,
  • Asset classification and control,
  • Personnel security,
  • Physical and environmental security,
  • Communications and operations management,
  • Access control,
  • Systems development and maintenance,
  • Business continuity management, and
  • Compliance.

ISO/IEC 17799:2000 does not provide definitive or specific material on any security topic. It provides general guidance on the wide variety of topics listed above, but typically does not go into depth. ISO/IEC 17799 does not provide detailed conformance specifications necessary for an organizational information security management program. It does not provide enough information to support an in- depth organizational information security review, or to support a certification program like the ISO/IEC 9000 process quality certification program. Appropriately revised, ISO/IEC 17799 could be useful as a high level overview of information security topics that could help senior management to understand the basic issues involved in each of the topic areas. ISO/IEC 17799 should be augmented by more technical guidance in order to be used effectively for a security review.

History

The origin of ISO/IEC 17799 goes back to the days of the United Kingdom’s Department of Trade and Industry’s (DTI) Commercial Computer Security Centre (CCSC). Founded in May 1987, the CCSC had two major tasks. The first was to help vendors of IT security products by establishing a set of internationally recognized security evaluation criteria and an associated evaluation and certification scheme. This ultimately gave rise to the ITSEC and the establishment of the UK ITSEC Scheme. The second task was to help users by producing a code of good security practice and resulted in a « Users Code of Practice » that was published in 1989. This was further developed by the National Computing Centre (NCC), and later a consortium of users, primarily drawn from British Industry, to ensure that the Code was both meaningful and practical from a user’s pISOt of view. The final result was first published as a British Standard’s guidance document PD 0003: A code of practice for information security management, and following a period of further public consultation became British Standard BS7799:1995.

A second part BS7799-2:1998 was added in February 1998. An extensive revision and public consultation period began in November 1997. In April 1999 a major revision of the standard was published. Accreditation and certification schemes were also launched, and these helped increase the momentum.

Part 1 of the standard was proposed as an ISO/IEC standard via the « Fast Track » mechanism in October 1999 and published with minor amendments as ISO/IEC 17799:2000 on 1st December 2000. BS 7799- 2:2002 a second part, which covered ISMS and helped bridge the gap with ISO/IEC 9000, was officially launched on 5th September 2002. It has become ISO/IEC 24743:2005 in April 2005 following a fast- track ballot.

Who works on 17799

ISO/IEC (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National Bodies that are members of ISO/IEC or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO/IEC and IEC technical committees collaborate in fields of mutual interest. Other international organizations, government and non-governmental, in liaison with ISO/IEC and IEC, also take part in the work.

In the field of information technology, ISO/IEC and IEC have established a JISOt Technical Committee 1 (ISO/IEC JTC 1) in 1987. In 1988, Sub-Committee 27 was created as a subcommittee of this jISOt technical committee (JTC1). Its title is « Security techniques ». Its area of work is standardization of generic methods and techniques for IT Security.National Bodies (NB) of ISO/IEC IEC JTC1 SC27 participate in it’s activities. In Canada, the NB for JTC1- SC27 is the Canadian Advisory Committee on Information technology Security (CAC-ITS), it was formed in the fall of 1988, in Toronto.

ISO’s JTC1, sub-committee (SC) 27, IT Security Techniques, was assigned ISO/IEC 17799. Its chairman is Dr Walter Fumy, from Germany a recognized and published expert in the field of IT security. The secretariat for this committee is managed by the German Standards group DIN.

JTC1 SC27’s area of work covers standardization of generic methods and techniques for IT security. This includes:

  • Identification of generic requirements for IT system security services;
  • Development of security techniques and mechanisms;
  • Development of security guidelines; and
  • Development of management support documentation and standards.

Standards developed by SC27 in the past include are listed on the web.

It has five Working Groups (WG1 to WG5). ISO 17799 is in Working Group 1 (WG1). The WG1 Chairperson (called Convenor) is Ted Humpreys, from the United Kingdom. Mr Humpreys is a world renown IT security expert, chairperson of the ISMS International Users Group and has been associated with ISO 17799 from its inception.

The latest revision round, from April 2001 to April 2005
The start of the revisions process, at least from the Canadian perspective, was the production, by members of CAC-ITS of a defects report in 2000.

Oslo, Norway

At the ISO/IEC JTC1 SC27 WG meeting, held in Oslo, Norway, from April 23rd to the 27th, 2001, it was agreed, by a majority vote of the participants, to begin revision of ISO/IEC 17799. The WG1 Convenor, Mr Ted Humphries, noted that this was in accordance with resolutions of the Tokyo meeting (16 – 25 October 2000) and with the SC27 2001 Business Plan, which stated that revision of 17799 would be given highest priority. We are here at Stage 3: Committee stage. Discussion of ISO/IEC 17799 began in the morning of April 25 2001. At this stage the current version of the document ISO/IEC 17799:2000 becomes the starting pISOt for discussions by the international experts in plenary sessions.

It was agreed to send out a call to NBs for contributions and nominations for Project Editor. On April 27 2001, at the WG1 final plenary meeting, two resolutions were voted. The first, to revise ISO/IEC 17799 and, at the same time, to investigate and report on mechanisms for accreditation against ISO/IEC 17799. The second, the nomination of an Acting Project Editor to begin revision immediately, was approved. Dr. Oliver Weissman became Acting Project Editor of ISO/IEC 17799.

Seoul, Republic of Korea

On October 15th to the 24th 2001 an ISO/IEC JTC1 SC27 WG meeting was held in Seoul, Republic of Korea. At this meeting, under the chairmanship of Acting Project Editor, Dr. Oliver Weissman, two days of WG1 were devoted to the editorial group meeting on comments and NBs contributions. Good progress was made at this editing meeting, and attendees expressed their satisfaction. Ten countries where represented.

Two Project Editors (PE) for ISO/IEC 17799 where appointed jointly, Dr. Oliver Weissman (Germany) and Dr. Angelika Plate (U.K.), this was unanimously accepted. Following the meeting, the PE prepared what became the 1st committee draft of the ISO/IEC 17799 revision.

Berlin

An ISO/IEC JTC 1 SC 27 Working Group Meeting was held in Berlin, Germany from april 22nd to the 26th, 2002. The editing meeting for ISO/IEC 17799 took place over the three days of April 23rd to the 25th, as well as the evening of April 23rd . More than 30 delegates participated. The editors had received over 750 comments on ISO/IEC 17799, which the editors had organized into categories, such as structural, major technical, sectional and editorial. There was, of course, discussion among the experts present on the comments. The editing group worked together to make progress and achieve consensus-building. Consequently, a majority of the comments where addressed.

Two informal votes were taken in favour of:

  • the use of guideline-style language (should), as opposed to mandatory language (must, shall),
  • not bringing certification into ISO/IEC 17799, nor producing a separate certification standard.

October 2002

Prompted by growing interest in ISO/IEC 17799 in Canada, in October 2002, CAC- ITS produced and released a document titled: STATEMENT RELATED TO ISO/IEC 17799 USE IN CANADA. It stated:

Warsaw, Poland

Another ISO/IEC JTC1 SC27 Working Group meeting was held on October 7- 15, 2002, in Warsaw, Poland. At this meeting ISO/IEC 17799 was again on the agenda. Because of the volume of comments, more than 600, the editing committee was only able to address about one-third of them. Participants agreed to hold an ad hoc meeting to try to get through them all. Unfortunately, too many of the National Board representatives indicated that they would not be able to travel to an ad hoc meeting (no matter where it might have been held), and the participants determined that it was likely that there would be no quorum, rendering the meeting null. It was decided, therefore, to hold an ad hoc three- day meeting, immediately preceding the next meetings in Quebec City in April 2003.

Quebec city

On may 5th to 6th 2003, a SC27 meeting was held in Quebec City. Following that meeting, the resulting version of ISO/IEC 17799 was registered as the 1st committee draft. Following this registration it was circulated for a 3 month ballot ending September 6th, 2003. It was approved.

Paris 2003

On the 20th to the 24th of October 2003, in Paris, France, an ISO/IEC JTC1 SC27 meeting was held. 32 P- members of SC 27 where represented. Working Group 1 allocated two and one half days of the meeting to revise the 1st Committee Draft (CD) of ISO/IEC 17799. More than 212 pages of Comments, 480 technical comments, had been received. At this pISOt the document, an existing international standard being revised, we are still here at Stage 3: Committee stage of the ISO/IEC standard process, where the document must go through a thorough review process.

The outcome of the meeting was a Work Plan for the resolution of remaining comments, which was considered at some length at the WG1 Plenary on October 24th and after some revision, based on the plenary discussion, was approved and has been issued. In summary, it was agreed that:

The co-editors would develop a proposed disposition of all remaining comments and circulate this to the editing group participants. Based on input received back from the editing group participants, the co- editors would then prepare a complete draft containing the proposed resolutions, again for distribution to the editing group participants. This was to be completed by January 20, 2004.

If the second set of feedback comments is unsatisfactory that is, there is failure to achieve consensus on the resolution of the comments then an Ad Hoc meeting was to be held, February 16- 18, 2004, in Berlin.

Following that meeting, the current version of ISO/IEC 17799 was registered as the 2nd committee draft and submitted to a 3 month ballot closing may 19th 2004. It was approved.

Singapore 2004

On the 19th to the 23rd of April 2004, a ISO/IEC JTC1 SC27 Meeting was held in Singapore. At this meeting where present 50 delegates representing 22 P members and one O member countries.

Ten countries send comments regarding ISO/IEC 17799 before this meeting. 694 comments in total where made, 303 technical and 391 editorial. Most of the technical comments where addresses at the meeting. In the end it was decided to have an Ad- hoc Group meeting of three days on 7th to 9th June 2004, in Berlin. This in order to finish the revision of the comments and addressed the new received comments. National bodies had until May 19th to send theirs comments on the last version.

Following the meeting, the version of ISO/IEC 17799 was submitted to a 4 month FCD ballot, ending October 1st, 2004. It was approved.

Berlin 2004

On the 6th to the 9th of June 2004 was held an ISO/IEC JTC1 SC27 WG1 Ad- Hoc Meeting ISO/IEC 17799 in Berlin, Germany. This special meeting was held to address issues with ISO/IEC 17799 to ensure that it was gISOg to progress on schedule. This was considered necessary in the previous Singapore meeting, where all the comments could not be addressed in the allotted timeframe. At that meeting there where delegates from 17 countries.

The objective was the review of 315 technical comments or editorial comments not reviewed at the previous Singapore meeting. As a result of this meeting the editors produced in June 2004:

  • revised text (FCD) of the 2nd CD ISO/IEC 17799;
  • dispositions of Comments of 2nd CD ISO/IEC 17799.

At the end of the meeting the group exercised a vote to assess whether there was sufficient support for progressing the document from Final Committee Draft (FCD) to Step 4, Draft International Standard (DIS). The result from those present who had provided contributions and those that gave proxies was 100% approval. The revised document, the Dispositions of Comments and the voting result where sent to the SC27 Secretariat for further action and processing within SC27.

Brazil 2004

From the 18th to the 22nd of October 2004, an ISO/IEC JTC1 SC27 meeting was held in Fortaleza, Brazil. For this meeting 270 comments had been received and where addressed. Following that, the document was approved by acclamation (no disapproval or abstention) to progress to Step 5: Final Draft International Standard (FDIS).

In April 2005, at the ISO/IEC meeting in Vienna, Austria ISO/IEC 17799 reached Stage 6: Publication. It was published on June 10th 2005. In 2007 it was renumbered as ISO 27002 to better fit within the ISO27000 Management System.