ISO 17799 and ISO 27001 – Information Security

ISO 17799:2005 – Information Technology – Security Techniques – Code of Practice for Information Security Management

This new version of ISO 17799 addresses the security of information in its widest sense, providing best business practice, guidelines and general principles for implementing, maintaining, and managing information security in any organization, producing and using information in any form.

Any organization has assets, essential to its continuity. Arguably, information in its various forms is the most important asset, be it printed, stored electronically, posted or e-mailed, shown on film or spoken. For most businesses, information security may be essential to maintain competitive edge, cash flow, profitability, legal compliance, and commercial image. But, many businesses and most non-business organizations may hold information as their only asset. An absence of information security may threaten their integrity and, therefore, their very existence.

ISO 17799:2005 recognizes that the level of security that can be achieved purely through technical means is limited. The required level of security (established through assessing the levels of risk and associated costs through breaches of security, against the costs of implementing security) should always be driven by appropriate management controls and procedures. Information security management requires, at a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties, and customers.

ISO 17799:2005 identifies the controls that form the starting point for information security. It covers:

 

  • Security policy
  • Organization of information security
  • Asset management
  • Human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development, and maintenance
  • Incident management
  • Business continuity management
  • Compliance

 

The interconnected e-commerce environment, with information now exposed to a growing number and a wider variety of threats and vulnerabilities, is the main beneficiary of this standard. It is destined to become an essential tool for organizations of every type and size, whether public or private.

Ted Humphreys, Convenor of the ISO working group that developed ISO 17799:2005, said: “The revised version of this standard provides organizations with many state-of-the-art additions and improvements in information security best practice.”“For example, better management of security arrangements with external businesses, outsourcing and service providers, enhanced incident handling capability, dealing with problems of patch management, mobile devices, wireless technologies and harmful mobile code via the Internet, improvements in best practice managing human resources, and several other new features.”

“In summary, this revised ISO 17799 is the most important of standard for managing information security that has been developed – it establishes a truly international common language for information security for all organizations around the world to engage with each other to do business.”

ISO 17799:2005 can be ordered at: <http://webstore.ansi.org>.

ISO 27001:2005 – Information Technology – Security Techniques – Information Security Management Systems – Requirements

This new standard is planned for publication in November of this year. ISO 27001:2005 will complement ISO 17799:2005 and provide a specification for Information Security Management Systems and the foundation for third party audits.