When and where did ISO 27001 originate?

To understand the purpose of the ISO 27001 standard, it’s important to know how the framework first came about. 

A brief history of ISO 27001

The ISO/IEC 27001 standard is published by the International Organization for Standardization in partnership with the International Electrotechnical Commission.

In the early 1990s, the UK government’s Department of Trade and Industry (DTI) asked the Commercial Computer Security Centre (CCSC) to create a set of evaluation criteria for determining the security of IT products. (This led to the creation of ITSEC.)

The CCSC was also asked to create a code of best practices for information security. The result was a document known as DISC PD003. Work on DISC PD003 continued and was split into two major fronts: BS7799-1 and BS7799-2. 

In the late 1990s, the BS7799-1 document was organized into 10 sections, each one outlining a series of controls and control objectives. This document laid the groundwork for the ISO 27002 standard. 

Meanwhile, BS7799-2 created a formal standard for developing an Information Security Management System (ISMS). First published in 1998 by the British Standards Institution (BSI), this document eventually evolved into ISO 27001. 

In December 2000, the International Organization for Standardization (ISO) adopted BS7799-1 as the basis for creating its ISO/IEC 17799 standard. 

ISO/IEC held a meeting in Oslo in April 2001 to discuss major revisions to ISO 17799, and work on a new version of the standard continued from 2001-2004. The new version of ISO 17799 was voted on and confirmed in April 2005 in Vienna and published in June 2005.  

Meanwhile, in October 2005, BS7799-2 was formally adopted as ISO 27001. 

Since then there have been a few updates: in 2007, ISO 17799 was renamed as ISO 27002. And in 2017, ISO/IEC 27001:2013 was published as the latest version of the standard, incorporating minor changes in wording and formatting.  

The origin of the Information Security Management System (ISMS)

As businesses moved into the digital age and data security become more of a priority, most companies had specific security controls in place. However, those controls were usually implemented ad hoc or in an attempt to follow various best practices. Different departments and office locations had different controls and processes, making larger initiatives like business continuity planning difficult. 

The concept of an information security management system (ISMS) was introduced to help companies take a holistic, systematic approach to information security across the entire organization. Building and maintaining an ISMS helps companies take a more thoughtful and intentional approach to identifying and managing risks. 

The ISO 27001 standard details requirements for building, maintaining, and continuously improving an ISMS.