BS 7799

BS 7799 was a British standard "Code of Practice for Information Security Management", first published as such by the British Standards Institution (BSI) in February 1995. Read about the origins of BS 7799 here.

Subsequently, two further parts to BS 7799 were also published (the first becoming BS 7799 Part 1), by which time BSI had become BSI Group.

The original BS 7799 outlined a structured approach to the management of information security but was primarily a description of some 127 information security controls in 10 sections or categories. Each control was designed to address a specified control objective.

Some of the controls considered particularly important at the time were identified as 'key controls' indicated with a key icon in the margin. Following pushback from the user and academic communities, however, the 'key control' concept was dropped when BS 7799 was revised in 1998. Users were encouraged to determine their own risks and objectives in order to select whichever controls were appropriate to their needs - a more fundamental and flexible approach applicable to organisations of all types, sizes and industries.

After a lengthy discussion by standards bodies through ISO/IEC, BS 7799-1 was eventually fast-tracked and adopted as ISO/IEC 17799, "Information Technology - Code of practice for information security management." in 2000. ISO/IEC 17799 was revised in June 2005, and renumbered ISO/IEC 27002 in July 2007 when it was incorporated into the growing ISO/IEC 27000 family of standards.

BS 7799 Part 2 "Information Security Management Systems - Specification with guidance for use." was first published by BSI Group in 1999 as a formal specification supporting conformity assessment and certification. BS 7799-2 explained how to design and implement an information security management system (ISMS) - a systematic approach to the governance and management of information security within an organisation. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming cycle), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO/IEC as ISO/IEC 27001 in November 2005.

BS 7799 Part 3 "Information security management systems - Guidelines for information security risk management" was first published by BSI Group in 2005. BS 7799-3 focuses on the identification, analysis, treatment and monitoring of information risks. It was adapted and adopted by ISO/IEC as ISO/IEC 27005 in 2008. Meanwhile, BS 7799-3 continues to evolve in parallel. It was revised in 2017 and a project was proposed in 2023 to simplify the guidance specifically for smaller organisations.