British Standard (BS) 7799 from the British Standards Institution (BSI) was first published in 1995 to provide guidance and best practices in information security. After wide consultation, it was determined that there was a need for a "specification" that could be audited against or used as a baseline. Thus, in 1998 a second part ("Part 2") was released, which was a specification for an Information Security Management System.

The original standard ("Part 1") was revised and released in 1999. During calendar year 2000, Part 1 of BS 7799 was adopted by the International Organization for Standardization (ISO) and the International Electrontechnical Committee (IEC). Therefore, Part 1 is now referred to as "ISO/IEC 17799" or "ISO 17799" and Part 2 continues to be referred to as BS 7799-2. The new references are:
ISO/IEC 17799 Part 1: 2000: Code of Practice for Information Security Management
BS 7799 Part 2: 1998: Specification for Information Security Management Systems

Following revisions to bring Part 2 in line with the changes for ISO/SEC 17799 and further revisions on the controls, a new version of Part 2 was released in 2002. When companies indicate that they have been certified against "ISO 17799", the certification is actually against Part 2 not Part 1.

There are now many version of Part 2, as it has been adopted in many countries, such as Japan, Australia, and New Zealand.

Are you confused yet? ISO/IEC 17799 is intended to provide a single reference point for the wide range of controls needed for most situations where information technology is used in industry, commerce, and communication. This detailed security standard is divided into 10 key sections:

  • 1. Information Security Policy
  • 6. Computer and Network Management
  • 2. Security Organization
  • 7. System Access Control
  • 3. Asset Classification and Control
  • 8. Systems Development and Maintenance
  • 4. Personnel Security
  • 9. Business Continuity Planning
  • 5. Physical and Environmental Security
  • 10. Compliance

You can order ISO/IEC 17799 and BS 7799-2 from the BSI Electronic Store at . You can also visit the ISO 17799 online newsletter at or the 17799 International User Group at

You may be wondering how this relates to a SAS 70 examination. First, ISO/IEC 17799 can serve as an excellent reference tool for developing control objectives related to the above 10 areas and determing if the proper control activities are in place. Second, by using ISO/IEC 17799 as a baseline or framework for your information security function, the service auditor should be able to identify the controls that have been placed into operation with greater efficiency.

If you need further information, contact us.

Comments are closed
Sachin Chudasama commented on 20-Oct-2010 05:59 AM
We are a business in the UK who are ISO27001 accredited.
We have just opened an operation in the USA; our networks are joined obviously for remote access. We host applications and data in the USA so that our energy utility clients are safeguarded in regards to US data resides on US soil. Our prospective US clients are asking us whether we are SAS70 qualified.
Can I ask you whether our ISO27001 scope extension to the USA would cater for SAS70? If not, then how do we get SAS70 accredited in the USA - i.e. steps?