Re: ISO 17799 vs BS 7799

From: Phil Fites (
Date: 02/27/03

From: Phil Fites <>
Date: Thu, 27 Feb 2003 02:27:21 GMT

ISO/IEC IS17799:2000 differs significantly from BS7799; in
particular, many things that are specific to UK laws and
regulations were altered or removed. Also, BS7799 has a "Part 1"
and a "Part 2"; Part 2 is rather larger and contains specific
measures to which conformity or compliance can be assessed. ISO
17799 has no "Part 2" and the decision by SC27 is that it will not.

Among other things, this means that "audits" for "conformity" to
IS17799:2000 are not possible. From the "Statement related to
use of ISO/IEC 17799 in Canada", Sept. 2002, "There is no
conformity assessment or compliance scheme associated with the
current version of IS 17799, nor is one currently planned for the
revised version. Any and all claims of a conformity assessment
or compliance scheme for IS 17799 are without basis."

ISO/IEC IS17799:2000 is undergoing extensive changes as part of
the process of resolving 658 "defect reports" filed in the first
months after it was published. It is hoped that this can be
completed in time for approval of a new standard to replace ISO
17799-2000 at the SC27 plenary in April-May 2004.

As for "up to date", the ISO standard was finalized in late 2000
after incorporating changes approved at the Tokyo meetings in
October 2000, and the standard has not changed yet. I have no
information about later versions of BS7799.

Eirik Seim wrote:
> On 26 Feb 2003 15:14:00 -0800, Toby Hobson wrote:
>> Hi
>> Could anyone give me a brief overview of the difference between the
>> two standards. In particular which standard is most up to date?
> Last I heard, ISO 17799 is what BS 7799 was in 2000, and the BS 7799 from
> 2002 extends beyond ISO 17799. Try google, there are tons of sites that
> deals with these standards.
> Reading what I wrote above, I realized this must be the most brief overview
> I've ever seen :)
> - Eirik