[1] Following pushback from the user and academic communities, however, the 'key control' concept was dropped when BS 7799 was revised in 1998.
Users were encouraged to determine their own risks and objectives in order to select whichever controls were appropriate to their needs - a more fundamental and flexible approach applicable to organisations of all types, sizes and industries.
BS 7799 Part 2 "Information Security Management Systems - Specification with guidance for use."
was first published by BSI Group in 1999 as a formal specification supporting conformity assessment and certification.
The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming cycle), aligning it with quality standards such as ISO 9000.