When and where did ISO 27001 originate?

To understand the purpose of the ISO 27001 standard, it’s important to know how the framework first came about. 

Check out the video below for a brief overview or keep reading.

A brief history of ISO 27001

The ISO/IEC 27001 standard is published by the International Organization for Standardization in partnership with the International Electrotechnical Commission.

In the early 1990s, the UK government’s Department of Trade and Industry (DTI) asked the Commercial Computer Security Centre (CCSC) to create a set of evaluation criteria for determining the security of IT products. (This led to the creation of ITSEC.)

The CCSC was also asked to create a code of best practices for information security. The result was a document known as DISC PD003. Work on DISC PD003 continued and was split into two major fronts: BS7799-1 and BS7799-2. 

In the late 1990s, the BS7799-1 document was organized into 10 sections, each one outlining a series of controls and control objectives. This document laid the groundwork for the ISO 27002 standard. 

Meanwhile, BS7799-2 created a formal standard for developing an Information Security Management System (ISMS). First published in 1998 by the British Standards Institution (BSI), this document eventually evolved into ISO 27001. 

In December 2000, the International Organization for Standardization (ISO) adopted BS7799-1 as the basis for creating its ISO/IEC 17799 standard. 

ISO/IEC held a meeting in Oslo in April 2001 to discuss major revisions to ISO 17799, and work on a new version of the standard continued from 2001-2004. The new version of ISO 17799 was voted on and confirmed in April 2005 in Vienna and published in June 2005.  

Meanwhile, in October 2005, BS7799-2 was formally adopted as ISO 27001. 

Since then there have been several updates:

• In 2007, ISO/IEC 17799 was renamed as ISO/IEC 27002.
• In 2013, ISO/IEC 27001 was revised to align with Annex SL, the high-level structure used for all ISO management system standards.
• In 2017, minor wording and formatting updates were published.
• In 2022, ISO/IEC 27001 was updated again, reducing Annex A controls from 114 to 93 and organizing them into four categories: Organizational, People, Physical, and Technological. The update also addressed modern risks such as cloud services, remote work, and threat intelligence.

The origin of the Information Security Management System (ISMS)

As businesses moved into the digital age and data security become more of a priority, most companies had specific security controls in place. However, those controls were usually implemented ad hoc or in an attempt to follow various best practices. Different departments and office locations had different controls and processes, making larger initiatives like business continuity planning difficult. 

The concept of an information security management system (ISMS) was introduced to help companies take a holistic, systematic approach to information security across the entire organization. Building and maintaining an ISMS helps companies take a more thoughtful and intentional approach to identifying and managing risks. 

The ISO/IEC 27001 standard outlines requirements for building, maintaining, and continuously improving an ISMS that evolves with emerging threats.

Transition to ISO/IEC 27001:2022

Organizations certified under the 2013 version of the standard must transition to ISO/IEC 27001:2022 by October 31, 2025. After this deadline, certificates issued to the 2013 version will no longer be valid.

This transition period ensures companies have time to adapt policies, procedures, and controls to meet the revised standard. For many, the move to ISO/IEC 27001:2022 is also an opportunity to streamline their ISMS, eliminate redundant controls, and align more closely with modern business and security needs.