CAMBRIDGE, Mass. – New Forrester report, "Revised ISO 17799 Boosts Information Security Management Relevance," Forrester explains the evolution of the latest ISO/IEC 17799:2005 standard and emphasizes it is not a catch-all, but a framework. The second version of ISO/IEC 17799 (2005 version) "provides a strong and expanded framework for information security management. However it is just a framework – it gives organization guidance about scope and breadth, but it does not provide the depth of a strong information security program," the report states. Actually BS7799: became an ISO standard in 2000, but received strong scrutiny from large countries and although it passed, went into a five-year revision process after the first version was accepted, the report states. The latest 2005 version fixed some of the earlier version's weaknesses in the eyes of Forrester. The report notes that the guidance is now more "actionable" and "relevant" to today's focus on regulatory compliance. "The revised version gives more detailed guidance on risk assessment, breaks risk assessment into its own section, and references other ISO risk assessment standards." It also includes a new section on incident management, that details reporting of information security events and weaknesses, management of security incidents, etc. ISO 17799 also integrates other ISO standards that focus on security, whereas the earlier version was an "island unto itself" as the report writer put it. The report concludes that ISO/IEC 17799:2005 is the best choice for firms looking to build an information security program because of its comprehensiveness and the fact that it is the most widely understood and adopted framework. However, the report emphasizes that it is just a framework. "Consider 17799:2005 as the framing of a house – with it, you can see what the house looks like along with the rooms, but it is up to you to put in the drywall, carpeting, plumbing and woodwork."