What is ISO 17799?

ISO 17799 is an international standard information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC). It has been renamed ISO 27002 since 2007. ISO 17799 is an important information security benchmark that other systems around the world are measured against. Dozens of other countries use the ISO 17799 standard but they sometimes have different titles. The standard provides recommendations for information security management best practices during implementation and sustainment. Information security is defined within the ISO 17799 standard in the section containing the “CIA triad” (stands for confidentiality, integrity and availability).

The document literally defines information security as: “the preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required).”

ISO 17799 is commonly used as a generic term that includes two different standards – ISO 17799 (ISO 27002) and ISO 27001 (formerly BS7799-2), which is an Information Security Management System (ISMS) specification. This standard specification essentially explains how to apply ISO 17799 and certify compliance.

History
ISO 17799 began emerging in the early 1990’s and in the mid-2000’s ISO 17799 established itself in most of the world’s major organizations and thus became self-perpetuating. This widespread adoption took place because the standard was revised and strengthened in 1999, and because world organizations were beginning to need an international security standard badly. The standard was revised again in 2005 and renamed ISO 27002 in 2007.

The Specification The ISO 27001 standard contains twelve different sections that outline security controls and their objectives. The document includes implementation guidance for each control. Here are the twelve sections:

Risk assessment – Measuring security risks

1. Security policy – Security management direction

2. Organization of information security – Governing and organizing information security plans

3. Asset management – Creating an inventory information assets along with their classifications and other organizing information

4. Human resources security – Implementing security measures for new employees, promoted/demoted employees, or leaving employees.

5. Physical and environmental security - Protecting computer operations and physical systems.

6. Communications and operations management - Managing system security controls

7. Access control - Restricting access to networks, systems, applications, functions, and data

8. Information systems acquisition, development and maintenance – Developing security functionality into applications

9. Information security incident management – Proactively anticipating and responding to security breaches

10. Business continuity management - Protecting, maintaining, and recovering important business components and systems

11. Compliance – Maintaining standard information security policies

Continuing Development
As part of a routine cycle every few years, the ISO and IEC standards bodies will update the information security standards. Revised standards are being published for 2011.