Problem solve Get help with specific problems with your technologies, process and projects.

ISO/IEC 17799 vs. COBIT: How do they differ?

Shon Harris looks at the origins of the ISO/IEC 17799 and COBIT security management standards, and discusses the differences between them.

How do ISO/IEC 17799 and COBIT differ?

The ISO/IEC 17799 is a set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 (BS7799), which was published in the United Kingdom and became a de facto standard in the industry that was used to provide guidance to organizations in the practice of information security.

The British Standard actually had two parts: BS7799 Part I, which outlines control objectives and a range of controls that can be used to meet those objectives, and BS7799 Part II, which outlines how a security program can be setup and maintained. BS7799 Part II also served as a baseline which organizations could be certified against. An organization would choose to be certified against the BS7799 standard to provide confidence to their customer base and partners and be used as a marketing tool. To become certified, an authorized third party would evaluate the organization against the requirements in BS7799 Part II. The organization could be certified against all of BS7799 Part II or just a portion of the standard.

If you are familiar with the ISO 9000 series, this is the same type of idea. Organizations can choose to go through an ISO 9000 certification process, which means third party evaluators review the organization's business processes. After receiving a certification, this is used as bragging rights to indicate that the company has mature, repeatable and effective business processes.

These British Standard de facto standards were continually improved upon and accepted as ISO standards. The latest revision took place in June of 2005 where BS 7799 part II became ISO/IEC 27001:2005.

So, now we have ISO/IEC 17799:2005, which outlines the best practices of control objectives and controls in the following areas of information security management:

  • security policy
  • organization of information security
  • asset management
  • human resources security
  • physical and environmental security
  • communications and operations management
  • access control
  • information systems acquisition, development and maintenance
  • information security incident management
  • business continuity management
  • compliance

We also have ISO/IEC 27001:2005, which provides guidelines on how to build a security program that integrates the controls in ISO/IEC 17799:2005. ISO/IEC 27001:2005 was developed to be used for several purposes:

  • within organizations to formulate security requirements and objectives;
  • within organizations as a way to ensure that security risks are cost effectively managed;
  • within organizations to ensure compliance with laws and regulations;
  • within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
  • definition of new information security management processes;
  • identification and clarification of existing information security management processes;
  • by the management of organizations to determine the status of information security management activities;
  • by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
  • by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
  • implementation of business-enabling information security;
  • by organizations to provide relevant information about information security to customers.

So, ISO/IEC 17799:2005 is the newest version of BS7799 Part 1 and ISO/IEC 27001:2005 is the newest version of BS7700 Part II. ISO/IEC 27001:2005 provides the steps for setting up and maintaining a security program and ISO/IEC 17799:2005 provides a list of controls that can be used within the framework outlined in ISO/IEC 27001:2005.

ISO/IEC 27001:2005 basically lays out the following steps for an organization to follow:

  1. Define an information security policy
  2. Define scope of the information security management system
  3. Perform a security risk assessment
  4. Manage the identified risk
  5. Select controls to be implemented and applied
  6. Prepare an SoA (a "statement of applicability")

(The ISO/IEC 17799:2005 controls are an appendix of ISO/IEC 27001:2005.)

The SoA is where the organization specifies their ISO 27001 certification scope. The scope can include the whole company and its security program, or just a specific department within the company. Certification is optional, but there is more of a demand in the industry for suppliers and business partners to be complaint with this standard. This is because companies are having to depend upon each other more and more and if one company does not practice effective security measures, this can have a direct and negative affect on the other company.

Continued in: How ISO/ISC 17799 and COBIT differ, part two

This was last published in November 2005

Dig Deeper on Security audit, compliance and standards