Search in ISMS Guides


Wednesday, August 8, 2007

ISO 17799 Overview

ISO17799 also BS7799 is a widely accepted standard for information security management. It is a great tool for the fundamentals of security management and also helps in promoting information security to top management.

When ISO adopted the British standard BS7799 it became ISO17799. The latest version of ISO17799 was released 2005.

The standard has 16 sections (0 - 15) as outlined below

Section 0 - Introduction
The introduction discuses what information security is, why it is important, and outlines how to work with information security, and how ISO17799 is a good starting point.

Section 1 - Scope
Says that the standard establishes general guidelines for implementing and working with information security, and that risk assessments are required to make good use of the standard.

Section 2 - Terms and Definitions
Defines terminology used in the standard. The following terms are defined: asset, control, guideline, information processing facilities, information security, information security event, information security incident, policy, risk, risk analysis, risk assessment, risk evaluation, risk management, risk treatment, third party, threat, and vulnerability.

Section 3 - Structure of the Standard
Describes the structure of the standard. Identifies the eleven security control clauses:
Section 5 to 15 below.

Section 4 - Risk Assessment and Treatment
Section 4.1 describes how risk assessment needs to be performed periodically, and is the basis for implementing security controls.

Section 4.2 shows on the possible options for risk treatment, including:
- applying appropriate controls to reduce the risks;
- knowingly and objectively accepting risks, providing they clearly satisfy the organization's policy and criteria for risk acceptance;
- avoiding risks by not allowing actions that would cause the risks to occur;
- transferring the associated risks to other parties, e.g. insurers or suppliers.

Further, it is pointed out that there is no single solution that will fit all. Organisations have to find controls that are appropriate for them.

Section 5 - Security Policy
The objective of a policy is identified as a management guidance with clarity.
Section 5.1 Information security policy covers the policy document, and policy review.

Section 6 - Organizing Information Security
Section 6.1 covers internal organization while section 6.2 dicusses external parties.

Section 7 - Asset Management
Seciton 7.1 discusses responsibility for assets. Section 7.2 is about information classification.

Section 8 -Human Resources Security
Section 8.1 is about th3e time before employment while section 8.2 is about the employment period and section 8.3 is about termination or change of employment.

Section 9 - Physical and Environmental Security
Section 9.1 is about secure areas and section 9.2 is about equipment security.

Section 10 - Communications and Operations Management
Section 10.1 is about operational procedures and responsibilities while section 10.2 is about external parties delivering services (outsourcing) and section 10.3 is about system planning and acceptance. Section 10.4 is about malicious and mobile code and section 10.5 is about backups and section 10.6 is about network security management. Section 10.7 covers media handling and section 10.8 covers exchanges of information. Section 10.9 is about e-commerce while section 10.10 is about monitoring things.

Section 11 - Access Control
Section 11.1 is about business requirements while section 11.2 is about user controls and section 11.3 is about user responsibilities. Section 11.4 drills down into network access control, section 11.5 examines operating system access controls, section 11.6 is about applicaiton level controls, and section 11.7 is focussed on mobile computing.

Section 12 - Information Systems Acquisition, Development and Maintenance
Section 12.1 focuses on security requirements while Section 12.2 focuses on correct processing. Section 12.3 is about cryptographic controls while section 12.4 is about control of system files. Section 12.5 focuses on the development and support processes, section 12.6 centers around vulnerability management.

Section 13 - Information Security Incident Management
Section 13.1 is about reporting security events and weaknesses. Section 13.2 is about managing incidents and improvements.

Section 14 - Business Continuity Management
Section 14.1 covers information security aspects of business continuity management.

Section 15 - Compliance
Section 15.1 is about compliance with legal requirements while section 15.2 is about compliance with policies, standards, and technical specifications. Section 15.3 is about audit considerations.

From :

No comments: