ABSTRACT
The development of information security standards on an
international level involves the International Organization
for Standardization (ISO) and the International Electronics
Consortium (IEC). Although other bodies provide sector-
specific standards, they are often derived from or refer
to the “ISO” standards (commonly referred to as ISO/
IEC). In the United States, this work is managed through
the American National Standards Institute and the
International Committee for Information Technology
Standards (INCITS). The group directly responsible for
developing, contributing to, and managing this work is
INCITS CS/1, cyber security. This group, CS/1, is also
responsible for standards work in the areas of information
technology (IT) security, privacy, identity management,
and biometric security. One major area of focus for CS/1
involves the information security standards known as ISO/
IEC 27001: 2005 (information security-information secur-
ity management system (ISMS) requirements) and ISO/
IEC 17799: 2005 (specification for information security
management). For the sake of keeping things simplified as
much as possible, these will be referred to as “ISO 17799”
and “ISO 27001,” respectively. It is also important to note
that, effective April 2007, ISO 17799 has undergone a
numbering change and is renumbered to ISO 27002.