ISO 17799 is an internationally recognized Information
Security Management guidance standard, first published
by the International Organization for Standardization
(ISO) in December 2000. Its predecessor, the British
standard BS 7799, has existed in various forms for a
number of years, although the standard only really
gained widespread recognition following publication by
ISO. ISO 17799 is high level, broad in scope, and conceptual
in nature. This approach allows it to be applied across
multiple types of enterprises and applications. It has
also made the standard controversial among those who
believe standards should be more precise. In spite of
this controversy, ISO 17799 is the only "standard"
devoted to Information Security Management in a field
generally governed by "Guidelines" and "Best Practices".
ISO 17799 defines information as an asset that may exist
in many forms and has value to an organization. The goal
of information security is to suitably protect this
asset in order to ensure business continuity, minimize
business damage, and maximize return on investments. As
defined by ISO 17799, information security is
characterized as the preservation of: -
- Confidentiality - ensuring that information is
accessible only to those authorized to have access
- Integrity - safeguarding the accuracy and completeness
of information and processing methods
- Availability - ensuring that authorized users have
access to information and associated assets when
required
As a Standard that is primarily conceptual, ISO 17799 is
not: -
- A technical standard
- Product or technology driven
- Related to the five-part "Guidelines for the Management
of IT Security," or GMITS/ISO 13335, which provides a
conceptual framework for managing IT security
How to use ISO 17799
Information security is, for most companies, of the
highest concern yet can often mean trade-offs in terms
of balancing the requirements of business against the
need for confidentiality, integrity, and availability of
information. Traditionally, information security
management has been based on loosely established best
practices and guidelines with the primary goal of
preventing, detecting, and containing security breaches,
and restoring affected data to its previous state.
ISO 17799 provides companies with an establish framework
from which to build a robust and operational Information
Security Management System (ISMS). As a comprehensive
information security process, the ISO 17799 standard
provides companies with the following benefits: -
- The creation of a defined process to evaluate,
implement, maintain, and manage information security
- A structured security methodology recognized
internationally
- Tailored policies, procedures and guidelines
- Enterprise wide operational cost savings
- Demonstration of comprehensive "due diligence"
- Better management of information security risks on a
planned and ongoing basis
- Increased access to new customers and business partners
through an improved corporate image
- The ability to demonstrate a commitment to information
security while at the same time being able evaluate the
security status of business partners
Compliance Requirement
An Information Security Management System (ISMS)
provides the information necessary to understand the
information security policies and practices in place at
the company. The standard for compliance and
registration is BS 7999-2:1999. A supplementary document
ISO 17799 is a Code of Practice document that gives
recommendations for information security management.
The ISMS standard provides specific requirements for
security controls and documents to be implemented and
maintained in the company in a daily operation basis. In
addition, the ISMS must include appropriate monitoring,
reporting and review processes to ensure its effective
functioning and to identify and implement corrective
measures in a timely manner.
An ISMS is a continuous progression of compliance,
improvement and prevention. The following outlines the
basic requirements to obtain compliance: -
- Define the policy
The ISMS Policy describes a company's shared vision,
commitment and direction in information security. It
gives a definition of information security, its
objectives and scopes, the management intent, a brief
explanation of the compliance requirements, information
security responsibilities and the supporting
documentations.
- Define the scope of the ISMS
Depending on the characteristics of the company such as
its location, assets and technologies, it has to define
the boundaries of its ISMS and set that as the scope.
- Undertake a risk assessment
Once the scope is defined, the company must undertake a
risk assessment to evaluate the risk and threats to the
information system and their respective impacts to the
organization. When evaluating risks, the company should
take into account at a minimum both the severity of the
risks and their likelihood of happening.
- Manage the risk
Next the company has to determine how to manage the
risks. Based on its information security policy and the
degree of assurance required, the company has to
prioritize the risks. Not all the high risks areas are
required to be tackled. Backing up by proper decision
process, the company can determine how it will deal with
the prioritized risks.
- Select control objectives and controls to be implemented
A list of 10 control objectives and controls come with
BS 7799-2:1999 with their respective recommended
practices detailed in ISO 17799. The company has to
select those controls that are appropriate to its
operation for implementation. The selection should be
justified.
- Prepare a statement of applicability
From the previous stage, the company has decided which
control objectives and controls are selected for
implementation. The reasons for its selection are
required to be documented in the Statement of
Applicability. Any exclusions and exceptions should be
specified clearly in the Statement of Applicability too.
|
|