Skip to content ↓ | Skip to navigation ↓

While there is never a shortage of information security headlines to peruse daily, one very historically significant story will probably come and go with little to no coverage at all: The twentieth anniversary of the conception of the ISO 27001 and ISO 27002 standards.

Most people know that ISO 27001/2 began life as British Standard BS7799, which was first published on 15th February 1995. What is less well known  is that the document was the formalized version of an existing British Standards Institute document DISC PD0003 “A Code of Practice for Information Security Management” (ISBN 0 580 22536 4) which was originally published on 20th September 1993.

David Lacey, now an independent researcher, writer, consultant, and author was deeply involved in creating and editing the body of knowledge behind the ISO 27000 family of standards.

Recognized as being a keen innovator who has developed many contemporary security techniques, Lacey is a visiting senior research fellow of the University of Plymouth, an honorary fellow and founder of the Jericho Forum, a member of IOActive’s Strategic Advisory Board, a member of the Infosecurity Europe Hall of Fame, and also writes a popular security blog for Computer Weekly.

Lacey, who has more than 30 years experience of directing information security for leading organizations such as Shell, the Royal Mail, and the British Foreign Office, discussed the history of the ISO 27K standards and provided some insight on the state of the standards today.

First off, Lacey says don’t believe everything you read, as several versions of the history of BS7799 can be found on Wikipedia and other sites, but they are grossly inaccurate and written by people who weren’t involved in the process. Virtually everyone connected with the process is now retired, so Lacey thought it useful to record the true story as an historical record of the standards.

The Genesis

The origin of the text that spawned BS7799 goes back much further than most know, Lacey said. The original idea of establishing a set of information security controls came from Donn Parker of SRI International, and several security audit companies were also experimenting with a set of IT controls which eventually become COBIT.

“Donn had become disillusioned with risk assessment methodologies which were very expensive to apply and often came up with the wrong answers,” Lacey recalled.

“He had conducted numerous security reviews in Fortune 500 companies and had found that all of them applied the same type of controls regardless of their sector and risk profile, so he started collecting and documenting security controls and by the late 1980s had assembled a collection of around a hundred baseline controls which were published privately for the I-4 Information Security circle which he conceived and founded.”

Lacey joined Shell International in January 1989 and was impressed by Parker’s baseline concept and decided to apply it across the Shell Group. He believed the idea of a set of standardized security controls was a good fit for Shell at that time as they were aiming to standardize their IT and globalize their business.

“I drew on Donn’s structure and text as a reference, but also collected security policies and controls from across the Shell Group,” Lacey said. “Supported by a colleague, Les Riley of Shell UK, we developed the first draft in 1990 and tested it in the field. The feedback was positive and many useful suggestions were received on enhancements to the controls.”

A formal Shell International publication titled Recommended Security Policies and Baseline Controls was published within the Shell organization in November 1991. The 74 page, pocket-sized document had a similar structure and text to today’s ISO 27002, but contained some additional features such as a “status” indicator which dictates if it’s essential (applies everywhere) or special (needs a risk assessment).

“Around 90% of controls were judged to be essential, resulting in a massive reduction in the need for professional risk assessments,” Lacey noted.

The Impetus

According to Lacey, at the end of the 1980s the UK Department of Trade and Industry (DTI) became concerned that industry was not paying any attention to the myriad of information security standards they were helping to develop, so they decide to hold a seminar in London in November 1990.

“They invited senior security experts from industry as well as members of the security standards community, and there was a 100% difference of opinion,” Lacey recalled.  “The standards experts criticized industry for not using their standards, and the industry experts told the standards people that they were developing the wrong standards.”

The DTI then asked industry experts what should be done, and the answer was simple: Start with a user requirement then develop standards, not the other way around.

“Unfortunately the DTI had run out of budget so we had to wait another year until Sema Group was appointed to conduct a survey of industry requirements,” Lacey said. “The resulting report entitled User Requirements for IT Security Standards contained a prioritized list of security subject areas, and was published in 1992.”

This set the stage for the development of BS7799. At the beginning of 1993, just as DTI was wondering how best to proceed, Steve Jones of Marks & Spencer contacted the DTI and asked them if they could help develop an IT Security standard for accrediting their suppliers, as they were concerned about picking up malware from them.

“The DTI decided to quickly assemble a group of industry representatives from seven different sectors: Shell (me and Les Riley), BOC Group (Neil Twist), BT (Dennis Willets), Marks & Spencer (Steve Jones), Midland Bank (Richard Hackworth), Nationwide (John Bowles) and Unilever (Rolf Moulton),” Lacey said. “There is an incorrect claim on the Internet that the UK National Computing Centre (NCC) helped develop the standards, but they weren’t involved.”

Lacey says the group met early in 1993 and decided to aim for a single document that could become an international standard supported by an accredited certification process. The BSI expert advised the group that the best approach was to produce a Published Document, then put it forward as a fast-tracked British Standard and then develop an accreditation process. The Group agreed and then discussed how to develop the material.

In the next installment of this three-part series, Lacey explains the behind the scenes process involved in drafting the original documentation for the standards. The final installment will discuss implementation, certifications, and Lacey’s critical assessment of the state of the ISO 2001/2 standards today.


Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock

Tripwire University
  • Phil Agcaoili

    It was eerie to read this. The history shared sounds familiar to the US NIST Cybersecurity workshop #1 and #2 that's been happening this year. Gladly they stopped short of us inventing a new standard.

    I'll trump article 3–David does not believe in ISO/IEC 27001:2005 in its current form.

    I'd love to hear where he is in trying to right the ship because he's developing new, competitive standards to ISO. It's admirable, but we don't need yet another security standard. As an industry we're choking on unimplemented our poorly implemented and partially maintained or abandoned standards, to which I challenge many to demonstrate their adoption and maturity.

    Why don't we all stop inventing new standards and form under a base security framework? We are fractured and cannot continue this nonsense.

    • Phil – What should we do when the current standards become so dogmatic and entrenched in the makeup of the body that administers them and they lose plasticity and are unable to adapt and change as needed to stay relevant? And if they are able to adapt – like NERC is ever evolving – how do we keep the process streamlined so it does not become a circus sideshow? The challenges here are many, and the costs of doing it right or wrong are very high – best of course to get it right.

  • But that is what the "senior security experts" are so good at: they create standards. Tons and tons of standards. And after a while the industry has to ignore them to some degree to get anything done.

    • I think you will see similar sentiments from Mr. Lacey in the third installment of the article which is forthcoming…