Search in ISMS Guides


Sunday, July 29, 2007

0.8 Developing your own guidelines

This code of practice may be regarded as a starting point for developing organization specific
guidelines. Not all of the controls and guidance in this code of practice may be applicable.
Furthermore, additional controls and guidelines not included in this standard may be required. When
documents are developed containing additional guidelines or controls, it may be useful to include
cross-references to clauses in this standard where applicable to facilitate compliance checking by
auditors and business partners.

0.7 Critical success factors

Experience has shown that the following factors are often critical to the successful implementation of
information security within an organization:
a) information security policy, objectives, and activities that reflect business objectives;
b) an approach and framework to implementing, maintaining, monitoring, and improving
information security that is consistent with the organizational culture;
c) visible support and commitment from all levels of management;
d) a good understanding of the information security requirements, risk assessment, and risk
e) effective marketing of information security to all managers, employees, and other parties to
achieve awareness;
f) distribution of guidance on information security policy and standards to all managers,
employees and other parties;
g) provision to fund information security management activities;
h) providing appropriate awareness, training, and education;
i) establishing an effective information security incident management process;
j) implementation of a measurement 1 system that is used to evaluate performance in
information security management and feedback suggestions for improvement.

0.6 Information security starting point

A number of controls can be considered as a good starting point for implementing information
security. They are either based on essential legislative requirements or considered to be common
practice for information security.
Controls considered to be essential to an organization from a legislative point of view include,
depending on applicable legislation:
a) data protection and privacy of personal information (see 15.1.4);
b) protection of organizational records (see 15.1.3);
c) intellectual property rights (see 15.1.2).
Controls considered to be common practice for information security include:
a) information security policy document (see 5.1.1);
b) allocation of information security responsibilities (see 6.1.3);
c) information security awareness, education, and training (see 8.2.2);
d) correct processing in applications (see 12.2);
e) technical vulnerability management (see 12.6);
f) business continuity management (see 14);
g) management of information security incidents and improvements (see 13.2).
These controls apply to most organizations and in most environments.
It should be noted that although all controls in this standard are important and should be considered,
the relevance of any control should be determined in the light of the specific risks an organization is
facing. Hence, although the above approach is considered a good starting point, it does not replace
selection of controls based on a risk assessment.

0.5 Selecting controls

Once security requirements and risks have been identified and decisions for the treatment of risks
have been made, appropriate controls should be selected and implemented to ensure risks are reduced
to an acceptable level. Controls can be selected from this standard or from other control sets, or new
controls can be designed to meet specific needs as appropriate. The selection of security controls is
dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment
options, and the general risk management approach applied to the organization, and should also be
subject to all relevant national and international legislation and regulations.
Some of the controls in this standard can be considered as guiding principles for information security
management and applicable for most organizations. They are explained in more detail below under the
heading “Information security starting point”.
More information about selecting controls and other risk treatment options can be found in clause 4.2
"Treating security risks".

0.4 Assessing security risks

Security requirements are identified by a methodical assessment of security risks. Expenditure on
controls needs to be balanced against the business harm likely to result from security failures.
The results of the risk assessment will help to guide and determine the appropriate management action
and priorities for managing information security risks, and for implementing controls selected to
protect against these risks.
Risk assessment should be repeated periodically to address any changes that might influence the risk
assessment results.
More information about the assessment of security risks can be found in clause 4.1 “Assessing
security risks”.

0.3 How to establish security requirements

It is essential that an organization identifies its security requirements. There are three main sources of
security requirements.
1. One source is derived from assessing risks to the organization, taking into account the
organization’s overall business strategy and objectives. Through a risk assessment, threats to
assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential
impact is estimated.
2. Another source is the legal, statutory, regulatory, and contractual requirements that an
organization, its trading partners, contractors, and service providers have to satisfy, and their
socio-cultural environment.
3. A further source is the particular set of principles, objectives and business requirements for
information processing that an organization has developed to support its operations.

0.2 Why information security is needed ?

Information and the supporting processes, systems, and networks are important business assets.
Defining, achieving, maintaining, and improving information security may be essential to maintain
competitive edge, cash flow, profitability, legal compliance, and commercial image.
Organizations and their information systems and networks are faced with security threats from a wide
range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood.
Causes of damage such as malicious code, computer hacking, and denial of service attacks have
become more common, more ambitious, and increasingly sophisticated.
Information security is important to both public and private sector businesses, and to protect critical
infrastructures. In both sectors, information security will function as an enabler, e.g. to achieve egovernment
or e-business, and to avoid or reduce relevant risks. The interconnection of public and
private networks and the sharing of information resources increase the difficulty of achieving access
control. The trend to distributed computing has also weakened the effectiveness of central, specialist
Many information systems have not been designed to be secure. The security that can be achieved
through technical means is limited, and should be supported by appropriate management and
procedures. Identifying which controls should be in place requires careful planning and attention to
detail. Information security management requires, as a minimum, participation by all employees in the
organization. It may also require participation from shareholders, suppliers, third parties, customers or
other external parties. Specialist advice from outside organizations may also be needed.

0.1 What is information security ?

Information is an asset that, like other important business assets, is essential to an organization’s
business and consequently needs to be suitably protected. This is especially important in the
increasingly interconnected business environment. As a result of this increasing interconnectivity,
information is now exposed to a growing number and a wider variety of threats and vulnerabilities
(see also OECD Guidelines for the Security of Information Systems and Networks).
Information can exist in many forms. It can be printed or written on paper, stored electronically,
transmitted by post or by using electronic means, shown on films, or spoken in conversation.
Whatever form the information takes, or means by which it is shared or stored, it should always be
appropriately protected.
Information security is the protection of information from a wide range of threats in order to ensure
business continuity, minimize business risk, and maximize return on investments and business
Information security is achieved by implementing a suitable set of controls, including policies,
processes, procedures, organizational structures and software and hardware functions. These controls
need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure
that the specific security and business objectives of the organization are met. This should be done in
conjunction with other business management processes.

The ISO Standard ISO/IEC 17799 Table-of-Contents (Cont)

10 Communications and operations management
10.1 Operational procedures and responsibilities
10.1.1 Documented operating procedures
10.1.2 Change management
10.1.3 Segregation of duties
10.1.4 Separation of development, test, and operational facilities
10.2 Third party service delivery management
10.2.1 Service delivery
10.2.2 Monitoring and review of third party services
10.2.3 Managing changes to third party services
10.3 System planning and acceptance
10.3.1 Capacity management
10.3.2 System acceptance
10.4 Protection against malicious and mobile code
10.4.1 Controls against malicious code
10.4.2 Controls against mobile code
10.5 Back-up
10.5.1 Information back-up
10.6 Network security management
10.6.1 Network controls
10.6.2 Security of network services
10.7 Media handling
10.7.1 Management of removable media
10.7.2 Disposal of media
10.7.3 Information handling procedures
10.7.4 Security of system documentation
10.8 Exchange of information
10.8.1 Information exchange policies and procedures
10.8.2 Exchange agreements
10.8.3 Physical media in transit
10.8.4 Electronic messaging
10.8.5 Business information systems
10.9 Electronic commerce services
10.9.1 Electronic commerce
10.9.2 On-Line Transactions
10.9.3 Publicly available information
10.10.1Audit logging
10.10.2Monitoring system use
10.10.3Protection of log information
10.10.4Administrator and operator logs
10.10.5 Fault logging
10.10.6Clock synchronization

11 Access control
11.1 Business requirement for access control
11.1.1 Access control policy
11.2 User access management
11.2.1 User registration
11.2.2 Privilege management
11.2.3 User password management
11.2.4 Review of user access rights
11.3 User responsibilities
11.3.1 Password use
11.3.2 Unattended user equipment
11.3.3 Clear desk and clear screen policy
11.4 Network access control
11.4.1 Policy on use of network services
11.4.2 User authentication for external connections
11.4.3 Equipment identification in networks
11.4.4 Remote diagnostic and configuration port protection
11.4.5 Segregation in networks
11.4.6 Network connection control
11.4.7 Network routing control
11.5 Operating system access control
11.5.1 Secure log-on procedures
11.5.2 User identification and authentication
11.5.3 Password management system
11.5.4 Use of system utilities
11.5.5 Session time-out
11.5.6 Limitation of connection time
11.6 Application and information access control
11.6.1 Information access restriction
11.6.2 Sensitive system isolation
11.7 Mobile computing and teleworking
11.7.1 Mobile computing and communications
11.7.2 Teleworking

12 Information systems acquisition, development and maintenance
12.1 Security requirements of information systems
12.1.1 Security requirements analysis and specification
12.2 Correct processing in applications
12.2.1 Input data validation
12.2.2 Control of internal processing
12.2.3 Message integrity
12.2.4 Output data validation
12.3 Cryptographic controls
12.3.1 Policy on the use of cryptographic controls
12.3.2 Key management
12.4 Security of system files
12.4.1 Control of operational software
12.4.2 Protection of system test data
12.4.3 Access control to program source code
12.5 Security in development and support processes
12.5.1 Change control procedures
12.5.2 Technical review of applications after operating system changes
12.5.3 Restrictions on changes to software packages
12.5.4 Information leakage
12.5.5 Outsourced software development
12.6 Technical Vulnerability Management
12.6.1 Control of technical vulnerabilities

13 Information security incident management
13.1 Reporting information security events and weaknesses
13.1.1 Reporting information security events
13.1.2 Reporting security weaknesses
13.2 Management of information security incidents and improvements
13.2.1 Responsibilities and procedures
13.2.2 Learning from information security incidents
13.2.3 Collection of evidence

14 Business continuity management
14.1 Information security aspects of business continuity management
14.1.1 Including information security in the business continuity management process
14.1.2 Business continuity and risk assessment
14.1.3 Developing and implementing continuity plans including information security
14.1.4 Business continuity planning framework
14.1.5 Testing, maintaining and re-assessing business continuity plans

15 Compliance
15.1 Compliance with legal requirements
15.1.1 Identification of applicable legislation
15.1.2 Intellectual property rights (IPR)
15.1.3 Protection of organizational records
15.1.4 Data protection and privacy of personal information
15.1.5 Prevention of misuse of information processing facilities
15.1.6 Regulation of cryptographic controls
15.2 Compliance with security policies and standards, and technical compliance
15.2.1 Compliance with security policies and standards
15.2.2 Technical compliance checking
15.3 Information systems audit considerations
15.3.1 Information systems audit controls
15.3.2 Protection of information systems audit tools

The ISO Standard ISO/IEC 17799 Table of Contents

0 Introduction
0.1 What is information security ?
0.2 Why information security is needed ?
0.3 How to establish security requirements
0.4 Assessing security risks
0.5 Selecting controls
0.6 Information security starting point
0.7 Critical success factors
0.8 Developing your own guidelines

1 Scope

2 Terms and definitions

2.1 asset
2.2 control
2.3 guideline
2.4 information processing facilities
2.5 information security
2.6 information security event
2.7 information security incident
2.8 policy
2.9 risk
2.10 risk analysis
2.11 risk assessment
2.12 risk evaluation
2.13 risk management
2.14 risk treatment
2.15 third party
2.16 threat
2.17 vulnerability

3 Structure of this standard
3.1 Clauses
3.2 Main security categories
3.2.1 Control
3.2.2 Implementation guidance
3.2.3 Other information

4 Risk assessment and treatment
4.1 Assessing security risks
4.2 Treating security risks

5 Security policy
5.1 Information security policy
5.1.1 Information security policy document
5.1.2 Review of the information security policy

6 Organization of information security
6.1 Internal organization
6.1.1 Management commitment to information security
6.1.2 Information security co-ordination
6.1.3 Allocation of information security responsibilities
6.1.4 Authorization process for information processing facilities
6.1.5 Confidentiality agreements
6.1.6 Contact with authorities
6.1.7 Contact with special interest groups
6.1.8 Independent review of information security
6.2 External parties
6.2.1 Identification of risks related to external parties
6.2.2 Addressing security when dealing with customers
6.2.3 Addressing security in third party agreements

7 Asset management
7.1 Responsibility for assets
7.1.1 Inventory of assets
7.1.2 Ownership of assets
7.1.3 Acceptable use of assets
7.2 Information classification
7.2.1 Classification guidelines
7.2.2 Information labeling and handling

8 Human resources security
8.1 Prior to employment
8.1.1 Roles and responsibilities
8.1.2 Screening
8.1.3 Terms and conditions of employment
8.2 During employment
8.2.1 Management responsibilities
8.2.2 Information security awareness, education, and training
8.2.3 Disciplinary process
8.3 Termination or change of employment
8.3.1 Termination responsibilities
8.3.2 Return of assets
8.3.3 Removal of access rights

9 Physical and environmental security
9.1 Secure areas
9.1.1 Physical security perimeter
9.1.2 Physical entry controls
9.1.3 Securing offices, rooms, and facilities
9.1.4 Protecting against external and environmental threats
9.1.5 Working in secure areas
9.1.6 Public access, delivery, and loading areas
9.2 Equipment security
9.2.1 Equipment siting and protection
9.2.2 Supporting utilities
9.2.3 Cabling security
9.2.4 Equipment maintenance
9.2.5 Security of equipment off-premises
9.2.6 Secure disposal or re-use of equipment
9.2.7 Removal of property