Given the dynamic nature of information risk and security, the ISMS concept incorporates continuous feedback and improvement activities to respond to changes in the threats, vulnerabilities or impacts of incidents.
The standards are the product of ISO/IEC JTC 1 (Joint Technical Committee 1) SC 27 (Subcommittee 27), an international body that meets in person (face-to-face or virtually) twice a year.
The initial release of BS 7799 was based, in part, on an information security policy manual developed by the Royal Dutch/Shell Group in the late 1980s and early 1990s.
In 1993, what was then the Department of Trade and Industry (United Kingdom) convened a team to review existing practice in information security, with the goal of producing a standards document.
[4] One of the principal authors of BS 7799 recalls that, at the beginning of 1993, "The DTI decided to quickly assemble a group of industry representatives from seven different sectors: Shell ([David Lacey] and Les Riley), BOC Group (Neil Twist), BT (Dennis Willets), Marks & Spencer (Steve Jones), Midland Bank (Richard Hackworth), Lloyds Bank, Nationwide (John Bowles) and Unilever (Rolf Moulton).