Standards Development

Scope

This British Standard provides guidance to assist organizations to fulfil the risk management requirements of BS EN ISO/IEC 27001:2023 in a straightforward, easily understandable manner.

This British Standard is relevant to organizations that have or are intending to have an information security management system (ISMS) that conforms to BS EN ISO/IEC 27001:2023; and are new to the topic of information security risk assessment.

This document is applicable to all organizations, regardless of type, size or nature.

Notes:

1) The scope of ISO/IEC 27005 was changed after BS7799-3 was published to exclude opportunities. The subject has been dropped from the proposed revised scope for alignment with the IS.

2) ISO/IEC 27005 can be used as a stand-alone document. It is not appropriate for the revised BS7799-3 document to do this (see proposed changes below), and therefore that has been dropped too).

It is not necessary to restrict the revised scope to SMEs as it can be used by other organizations. Nevertheless, SMEs typically lack expertise in information security risk assessment so that criterion has been added to the revised scope.

Purpose

Most of BS 7799-3:2017 has been incorporated into ISO/IEC 27005:2002, but some parts that are considered useful to SMEs have been omitted. Moreover, ISO/IEC 27005:2002 is more of a reference document than a how-to-guide, and many experts regard some of its content too esoteric/theoretical for SMEs. Moreover, it describes two methods without giving any advice on which to use. These shortcomings can be resolved through a revision of BS 7799-3 that focuses on the needs of SMEs.

BS 7799-3:2017 was created for British Industry because of inadequacies in ISO/IEC 27005:2018 and previous editions. ISO/IEC 27005:2022 is unsuitable for SMEs. Once BS 7799-3 has been revised and is in use, it can be offered to ISO. The revised standard will help organisations, particularly SMEs to fulfil the ISO/IEC 27001 risk assessment and risk treatment requirements.

The relevant TC/SC

The developing committee is IST/33/1 – Information Management Security Systems.

Under the direction of IST/33/1, is responsible for the UK input into ISO/IEC JTC 1/SC 27/WG 1 and CEN/CLC/JTC13/WG2 whose scope is the information security management system (ISMS) family of standards. This includes ISMS requirements, guidelines, accreditation and auditing, and sector specific ISMS standards. The scope also includes the preparation, publication, review and revision of relevant British standards.