I’ve been doing some compliance gap analysis work comparing the policies of one of my clients with ISO/IEC 17799:2005. It was renamed in July of this year to ISO/IEC 27002:2005. So, along with the name change, did the content also change? Having the 2005 tacked on the end of the new name would seem to possibly indicate not. Hmm…
So I contacted Dr. Gary Hinson, ISO/IEC 17799 / ISO/IEC 27002 guru extraordinaire.
He indicated that ISO/IEC 27002:2005 has the exact same content as ISO/IEC 17799:2005; only the title is different.
The ANSI store, which sells the standards, does not really clearly communicate that the content is exactly the same in the renamed document. The description simply states:
“ISO/IEC 27002:2005
Information technology – Security techniques – Code of practice for information security management (Redesignation of ISO/IEC 17799:2005)”
“Redesignation” could mean the content has also changed.
Will everyone know that “redesignation,” as used on the ANSI site, means that only the title has changed, but the content remains exactly the same?
Probably not. I’m sure there have been folks who have made the purchase from the ANSI site only to find they did not get anything updated from what they already had.
So, let’s look at the BSI site, which also sells the standards.
They have more description for the document, including this statement that a little more clearly indicates the content is the same:
“International Relationships ISO/IEC 17799:2005 Identical”
So, if you already have ISO/IEC 17799:2005 and want to be sure you have the most up-to-date version…you already do!
Tags: awareness and training, Gary Hinson, Information Security, ISMS, ISO 27002, ISO/IEC 17799:2005, ISO/IEC 27002, IT compliance, policies and procedures, privacy, risk management