- The origins of ISO 27001 date back to the early 1990s when the British government tasked the Commercial Computer Security Centre (CCSC) with developing security policies such as ITSEC and DISC PD003
- he British standards BS 7799-1 (1995) and BS 7799-2 (1998) laid the foundation for the international recognition of information security management practices and eventually led to the development of the ISO standards.
- In 2000, ISO and IEC published the ISO/IEC 17799 standard, which was renamed to ISO/IEC 27001 in 2005 and became established as the global standard for information security management.
- The ISO/IEC 27001 was last updated in 2022 to account for new technologies like cloud computing and mobile devices, and to provide expanded controls for current security requirements.
From BS 7799 to ISO 27001: The Development of a Global Standard for Information Security Management
With the dawn of the internet in the early 1990s, the IT landscape soon became plagued with security threats. Realising the potential of cybersecurity risks, businesses felt the dire need for the government to enact guidelines for securing sensitive data.
That's when the UK government's Department of Trade and Industry (DTI), responsible for promoting UK industry and trade, assigned the Commercial Computer Security Centre (CCSC) to develop two key initiatives—IT Security Evaluation Criteria (ITSEC) and Information Security Best Practices—for establishing a benchmark for IT products' security evaluation and creating a code of practices for information security management.
The development of a code of practices for information security resulted in a document called DISC PD003. The CCSC's work on information security best practices took its final form with DISC PD003 splitting into BS 7799-1 and BS 7799-2. The BS 7799-1 document (published in 1995) in the late 1990s got organised into 10 sections, each outlining a series of controls and control objectives. It eventually laid the foundation for the ISO 27002 standard.
Meanwhile, BS 7799-2 (first published in 1998) complemented BS 7799-1 by creating a formal standard for implementing an information security management system. This British standard soon gained worldwide recognition as a valuable resource for information security risk management and eventually evolved into ISO 27001.
Both initiatives' worldwide adoption caught the attention of ISO and IEC, non-governmental bodies responsible for establishing international standards. Adopting the core principles and best practices of BS 7799-1 as a foundation, ISO and IEC collaborated with the British Standards Institution (BSI) to publish the ISO/IEC 17799 standard in 2000.
Later on, to address the emerging threats, ISO/SEC held a meeting in 2001 to discuss revisions to ISO 17799. A new version of ISO 17799 was voted on and confirmed in April 2005 and finally published in June 2005. The updated standard, now known as ISO/IEC 27001, has since become the globally recognised standard for information security management. In 2007, ISO 17799 was renamed ISO 27002.
2022 Revision – Adjustments to New Technological Challenges
Revising the 2005 version of ISO 27001, ISO/IEC 27001:2013 incorporated minor changes in wording and formatting. Again, in 2022, given significant advancements in technology as well as an increase in the complexity of security threats, the latest revision of ISO 27001 was published, which is effective to date. This newest version includes updated guidelines for risk assessment and treatment, as well as expanded controls to address emerging technologies such as cloud computing and mobile devices.
