BS7799/ISO17799 are big standards, as anyone who has ever successfully implemented an ISMS can attest. Updating my book to take account of the new standard, and putting together a tool to help people migrate from the 2000 version to the forthcoming 2005 version, drove home to me just how tough certification really is. And, while the revised version of 17799 brings the standard right up to date, and makes a number of useful improvements, I’m not convinced that it makes the process any more straightforward.
In fact, if anything, it makes the process tougher, not least because it now cross refers to a number of other, supporting (but not mandatory) standards, as well as shifting business continuity and disaster recovery management out of the standard, leaving behind only the information security aspects of both. Large organizations usually have the resources to tackle 17799; smaller ones don’t. The revised standard is not going to make it easier – smaller organizations really need a 17799-lite – one that clearly differentiates between what is essential (eg vulnerability management) and what is relevant only to certain types of companies (eg software development).
Until that happens, it’s going to be incumbent on consultants to help smaller companies find the simple ways of benefitting from the guidance in the standard, and achieving certification as well. If we can’t do that, the standard will survive only as something for larger organizations – which means it won’t survive in the form we know it today.