The following questions were presented:
BS7799 / ISO/IEC17799 was originally a 'code of practice' published by the DTI. Could you explain the process by which it became a BS standard, and then eventually an ISO standard?
In co-operation with BSI British Standards, the DTI published a report in the early 1990s, “User requirements for IT Security Standards”, which was compiled by Sema Group (now Atos Origin). Recommendations from this report led to the formation of a BSI committee (BDD/2) and the publication of BS 7799-1 Code of practice for information security management in 1995 and BS 7799-2 Information security management. Specification for information security management systems in 1998.
Further development of these standards over the next five years included a revision process that enabled international comment to be included and, as a result, led to British Standards that had world-wide appeal. International take up of the standards was substantial and in 1999 the committee submitted BS 7799-1 to ISO to become an international standard, now ISO/IEC 17799.
The same decision was taken recently in relation to BS 7799-2 and this is anticipated to be published in November 2005 as ISO/IEC 27001.