A Short History of the ISO 27000 Standards

The History of The ISO 27000 Series Although the concept of a series was only conceived and announced in 2005, some of the constituent standards pre-date this considerably. The following potted history maps the main developments with respect to these in chronological order.

The seeds of the standards were sown originally by the UK Government's DTI (Department of Trade and Industry). Their Commercial Computer Security Centre (known as the CCSC) was charged with several major tasks in this area. One of these was to create a security evaluation criteria for IT security products, whilst another was the creation of a code of good security practice for information security.

The first of these led to the creation of what became known as ITSEC. The second led to the publication of a document known as DISC PD003, which followed further development by the Manchester based NCC (National Computing Centre) and a consortium of user organizations.

PD0003 was organized into 10 sections, each outlining numerous objective and controls. Despite being published in the early 1990's its format and content still very much resemble the current ISO 17799/27002 standard.

The PD0003 document continued development under the custodianship of BSI. It eventually became a formal standard, known as BS7799, in 1995.

Development now continued on two major fronts. BSI developed another standard, a specification of an Information Security Management System. This was published in 1998 as BS7799-2, and was eventually to become ISO 27001.

In the meantime, BS7799-1 came under the auspices of ISO, being fast tracked to become ISO/IEC 17799 in December of 2000. The momentum behind the standards increased as a result.

Despite its recent publication, a major revision of ISO 17799 was initiated at the Olso meeting of the ISO/IEC JTC1 SC27 Working Group in April of 2001. Comments were invited and these were considered over a lengthy period and at various Working Group Meetings (Seoul 2001, Berlin and Warsaw 2002, Quebec City and Paris 2003). Following the Singapore meeting in 2004, a new version of the standard was put to an FCD ballot and passed. The Berlin 2004 meeting further advanced this into a Draft International Standard (DIS). This was ratified at a meeting in Fortaleza in 2004 and confirmed in April 2005, at the Vienna meeting. The new version of ISO/IEC 17799 was finally published in June 2005.

BS7799-2 followed a less complicated route. It was already very much aligned with the approach adopted by other ISO specifications, such as ISO 9000, and hence its adoption as ISO 27001 was more straight forward, with fewer comments to process. This was published in October 2005.

Late in 2007, to align the series numbering system, ISO 17799 was renamed to ISO 27002.

Following the decision to create a series of related standards in 2005, the JTC 1/SC 27 committee initiated the development of a number of them. ISO 27000, ISO 27004 and ISO 27005 are all under active development (current stage 40.60).

Other standards within the series are now also emerging, such as ISO 27799. For projections on future publications, see our Future Standards page.

What is JTC 1/SC 27?

Standards developments within ISO is overseen and managed by Joint Technical Committees. In the case of information technology, which embraces information security, this is ISO/IEC JTC 1 (Joint Technical Committee 1). In 1988 a sub-committee of this was established specifically for 'Security Techniques'. This is known as SC27.

ISO 27000 Directory - Other Standards