Wednesday, January 3, 2018

Difference Among ITIL vs ISO 27001 vs BS 17799 (ISO 27002)

ISO 27001 vs  ITIL
International standardBest practice framework
Defines requirements for the establishment, implementation, maintenance, and continual improvement of an Information Security Management System (ISMS).Presents a set of best practices for IT service management, giving guidance on the provision of quality IT services and the processes, functions, and other capabilities needed to support them.
Applicable to any type and size of organization.Applicable to almost every type of IT environment.
Implementation and certification are optional.Implementation is not subject to certification.
Current version: ISO 27001:2013Current version: ITIL 2011 edition

 ISO 27001 vs BS 17799

ISO 27001BS 17799 (ISO27002)
Requirements in establishing an information security management system are mandatory.  This is a "certifiable" standard. This standard supports ISO 27001 in the sense that ISO 27002 contains "guidelines" on how to implement an ISMS.
While reading through most of the ISO standards, whenever you encounter the word "SHALL" it denotes a mandatory requirement. While the word "SHOULD" denotes a voluntary requirements.
ISO 27001 is aligned with ISO/IEC 17799:2005BS 17799 is based on BS 7799-1
Implementation and certification are optional.Implementation is not subject to certification.

ISO 27001
Requirements for implementing, establishing, and documenting so called ISMS (Information Security Management Systems)
Specifies requirements for security controls to be implemented according to the needs of individual organizations 
ISO 27001 is aligned with ISO/IEC 17799:2005

BS 17799
BS 17799 is more of a Code of Practice or guidance or reference document
It is based on best information security practices
This defines a process to evaluate, implement, maintain, and manage information security
BS 17799 is based on BS 7799-1
Consists of 11 control sections, 39 control objectives, and 134 controls
Is not used for assessment and registration
This was later renamed to ISO 27002

The official name of ISO 27001 is ISO/IEC 27001:2005 - Information technology - Security techniques - Information security management systems - Requirements. ISO 27001 is the standard that now supersedes BS 7799-2 for certification requirements. This is important - ISO 27001 relates to certification requirements for the implementation of an information security management system (ISMS). ISO 27001 lists requriements that you must satisfy in order to establish an ISMS.

Another standard related to information security is ISO 17799 which supercedes BS 7799 and which was substantially revised and published in 2005 as ISO/IEC 17799:2005. Then, this standard was later changed to ISO 27002. This standard is more of a best practice or code of practice guide for certain areas.

Summary: The very first standard related to information security was BS 7799. BS 7799 was divided into two parts: BS 7799-1 which later became ISO 17799, and BS 7799-2 which later became ISO 27001.

ISMS certification standard: BS 7799-2:2002 ---> ISO/IEC 27001:2005
Code of Practice standard: BS 7799-1:1999 ---> ISO/IEC 17799:2000 ---> ISO/IEC 17799:2005 ---> ISO/IEC 27002:2005

Note: BS 17799 or ISO 17799? It is practically the same. BS means "British Standard". British Standard 17799 was adopted by the ISO/IEC - International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). BS 7799 series of ISMS standards become ISO standards in 2005.

No comments: