The Green Books code of practice came in a green cover and therefore became known as the Green Book, which consists of evaluation criteria and certification schemes for IT security management in organisations [DTI89]. The CCSC (Commercial Computer Security Centre) of the British DTI (Department of Trade and Industry) published the User’s code of practice and the Vendor’s code of practice as codes of good security practice in 1989. Some sections of the Green Books shaped the BS 7799 standard for IT
security . Subsequently, BS7799 was split into two parts in 1999, which covers both code of practice (BS7799-1) and specifications for certification (BS7799-2), which was revised in 1999.
The British companies and the NCC (National Computing Centre) developed the User’s code of Practice for information security management in 1993. The Code of Practice for IT Security Management was the result of further revision as the British standard BS 7799:1995. Several organisations outside of the UK (United Kingdom) used the standard as a best practice guideline for the information security management. It was revised because of extensive international interests to include new technologies and processes
such as E-Commerce and mobile computing in 1999.
The ISO (International Organisation for Standardisation) is an international organisation for standards from different national standard organisations [Int13]. The IEC (International Electrotechnical Commission) publishes international standards for all electrical, electronic and related technologies [Int05]. The ISO and IEC cooperated to publish the next information security standard.
The first part of BS 7799 was published as ISO/IEC 17799 in 2000 and revised again in 2005 under the name ISO/IEC 17799:2005. The result of the next revision was ISO/IEC 27002:2005. The second part of BS 7799, namely BS 7779-2, was revised in 2002 to be compatible with other management standards changes, such as ISO 9001:2000. The ISO and the IEC published ISO/IEC 27000 as a composition of different information security
standards for information security management, risks and controls within an ISMS. The ISO information security standards before the ISO 2700x family of standards were ISO 13335 and the aforementioned ISO 17799.
ISO 27000 provides an overview and vocabulary, while ISO 27002, offering the code of practice for an ISMS, contains general recommendations for information security activities. In the beginning of 2007, ISO 17799 was renamed as ISO 27002, which consists of management level Recommendations for IT security management. ISO 27002 is a reference for selecting commonly accepted controls in the process of implementing an
ISMS, based on the specific information security risk environment of each organisation. The ISO committee finally released ISO 27001:2005 as part of the ISO 2700x family. The ISO committee published the latest revision of the standard in September 2013. Figure 2.1 shows the history of information security documents from the 1980s to the ISO 27001 update in 2013. Following the changes in the structure and content of the international standard for information security, the next section describes ISO 27001 in