September marked the twentieth anniversary of the conception of the ISO27K standards, which originated as as a formalized version of an existing British Standards Institute document DISC PD0003 “A Code of Practice for Information Security Management” (ISBN 0 580 22536 4), first published on 20th September, 1993.
David Lacey, a visiting senior research fellow at the University of Plymouth, founder of the Jericho Forum, and member of the Infosecurity Europe Hall of Fame, was intimately involved in creating that original document.
In our first installment of this series on the history of ISO27K, Lacey recounted the events leading up to the conception of the standards, and in the second chapter of the story he discussed the process involved in the production of the first draft.
In this third chapter of our look at the history of ISO27K, Lacey discusses early implementation and certification efforts, and the eventual adoption of the standards.
Conversion to BS7799
Now that the document had been completed and sanctioned by the authoring members of the group, the real work of establishing the Code as a standard began.
At first, little media publicity was generated by the launch, nonetheless the document was put forward in a fast-track process to become a full British Standard, eventually to be christened as BS7799.
“This involved including many other stakeholders, removing references to international laws, ditching the excellent management overview and the key controls, and then putting it all into a less user-friendly format,” Lacey said.
The price to produce and publish the standard also went up, though Lacey and the group managed to negotiate a deal for bulk purchases, and then they produced a handy pocket-sized version. They had considered producing a Filofax sized version, but that idea never materialized.
Various working groups were established in the UK, Netherlands and Australia to advance the standard and the certification process. The Dutch were keen to press ahead, but the Australians just ended up using it as the basis for producing their own standard.
In the U.S., the National Institute of Standards and Technology (NIST) were in the process of developing their Generally Accepted Principles and Practices for Securing Information Technology Systems in the wake of the Morris worm, and were highly impressed with the standard Lacey’s group had produced.
NIST asked if they could publish the document as a recommended standard, but BSI declined, emphasizing that they intended to protect their copyright, Lacy said. An NIST document was subsequently published in 1996 (PDF), and included a paragraph stating:
“In the early development of this chapter, NIST considered obtaining a copyright release for an excellent practices document that originated in the United Kingdom. Copyright was not obtainable; however, the document was referenced while preparing this chapter. The Code of Practice for Information Security Management is written in a similar style and offers short concise practices in IT security. It is highly recommended that this document be obtained as an excellent source for additional information. The document is the British Standard 7799, A Code of Practice for Information Security Management.”
“Unfortunately the BSI copyright killed the prospect of an early uptake of a joint standard – a lesson for future standards,” Lacey lamented. “Why shouldn’t British and International standards be free like US ones? There is a vacuum waiting to be filled for an open, free international standards forum.”
Work on certification schemes for certification began as soon as BS7799 was launched, with the British and Dutch were leading the way, but they had adopted very different approaches.
“The Dutch anticipated a slow build up, so they sensibly employed an experienced, part-time manager, Anton Pronk, to run their ICIT scheme. They also expected certification bodies such as KPMG to pay for their own advertising and training, so budgets were much lower,” Lacey recalled.
“The Dutch approach was more pragmatic and more sensible, based on real-world models from other certification schemes. They rightly understood that a Code of Practice was a perfectly sound basis to audit against, and needed no further guidance document,” he continued.
The first accredited certification scheme launched was the from the Dutch, under which Shell gained the world’s first certificate (Certificate No: ISC 001) from KPMG for Shell’s Information Services delivered across Europe. The certificate was awarded on the 1st September 1997.
“In contrast, the British chose to establish an organization of full time employees and to invest in training and marketing initiatives. They were also persuaded by the British audit community to develop a second guide based on the control objectives to facilitate a tick-box approach to the audit,” Lacey explained
“The British c:cure certification scheme was not launched until after the BS7799 Part 2 was published in 1998. It took so long to get going that it ran out of money and was closed down, though a replacement scheme was launched in 2003.”
The uptake of BS7799, not to mention the certification process, was very slow, and Lacey says there were several reasons for this: One was the weak marketing of the standard, and another was the refusal to allow NIST to publish it.
A third reason was the fact that the Finance community already had their own individual standards in place, and it’s a bad move to change anything subject to regulation that’s already passed an audit.
“I know one security manager in a financial institution who lost his job because he adopted the standard without having implemented all the necessary measures resulting in his company failing an audit,” Lacey said.
A fourth reason was the popularity of the SAS 70 process in the U.S., which satisfied the need for security assurance of outsourced services.
“Perhaps a more significant reason however was that many security managers in the 1990s did not have sufficient skills or influence to drive through the uptake of a new standard,” Lacey speculated. “Out of the companies that developed and supported the standard, only Shell implemented it properly.”
Lacey said that eventually the standard and its certification schemes caught on, driven by trends such as increased outsourcing, globalization, regulatory compliance, and tighter procurement and supplier management standards, which all favored the use of an internationally recognized standard supported by a formal accredited certification scheme.
In the final installment of our look at the history of ISO27K, Lacey will offer his own critical assessment of the state of the ISO27K standards today and how compliance is killing security innovation.
- NIST: It’s Time to Abandon Control Frameworks as We Know Them
- Enterprise Insurance Policies and the 20 Critical Security Controls
- NERC CIP Version 5: One Giant Leap
- Security Standards: Are We Doing It Right?
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock