ISO/IEC 17799 - the International Standard for Information Security Management

 ALAN FRASER

ISO/IEC 17799 (formerly BS7799) is the International Standard for Information Security Management. BS7799 was originally developed in the UK as a concept in association with the DTI by a group of companies, financial, commercial and industrial (including many household names) in order:

• To provide a common efficient basis for companies to develop, implement and measure effective information security management and practice.

• To provide confidence in inter-company trading.

The areas covered by the Standard (BS ISO/IEC 17799:2005) are:

4. Risk Assessment and Treatment

5. Security Policy

6. Organisation of Information Security

7. Asset Management

8. Human Resources Security

9. Physical and Environmental Security

10. Communications and Operations Management

11. Access Control

12. Information Systems Acquisition, Development and Maintenance

13. Information Security Incident Management

14. Business Contingency Management

15. Compliance

For an overview of ISO/IEC 17799 by Dr Dave Walton of Dunelm Systems, see here. For detailed information from BSI, see here. The DTI also provides assistance through its Information Security Policy Group, see here. Another site with good information is here: http://www.17799.com/

The standard is in three parts:

• Part 1 (BS ISO/IEC 17799:2005, BS 7799-1:2005) Code of Practice for Information Security Management provides a comprehensive set of controls comprising best practices in information security, which can be used to implement an Information Security Management System (ISMS).

• Part 2 (BS ISO/IEC 27001:2005, BS 7799-2:2005) Information Security Management Systems - Requirements specifies the process for establishing, implementing and maintaining an ISMS using the controls specified in Part 1.

• Part 3 (BS 7799-3:2005) Guidelines for Information Security Risk Management provides guidance on how to set up a risk management process to support the ISMS.

Jana I.S.S. has all the BSI documentation and has experience of developing policies to comply with ISO/IEC 17799. We can give security advice to companies of any size by carrying out independent reviews of information security risks, policies, procedures and measures already in place against Part 1 of the Standard. We can also develop the policies and procedures you require to implement and maintain an ISMS and the required level of information security equivalent to compliance, whether or not you as an organisation wish to achieve certification against Part 2 of the Standard.

The advice given on this and other pages is for general information only, as a starting point for ideas rather than solutions to specific problems. Jana Information Systems Services Limited will not accept legal liability for any consequences for any individual or company of following any advice on this page except as part of a legally-binding contract between this company and a customer, with appropriate professional liability insurance in place.

© Jana Information Systems Services Limited, 2006