ISO 17799 is an internationally recognized Information Security Management guidance standard, first published by the International Organization for Standardization (ISO) in December 2000. Its predecessor, the British standard BS 7799, has existed in various forms for a number of years, although the standard only really gained widespread recognition following publication by ISO.
ISO 17799 is high level, broad in scope, and conceptual in nature. This approach allows it to be applied across multiple types of enterprises and applications. It has also made the standard controversial among those who believe standards should be more precise. In spite of this controversy, ISO 17799 is the only “standard” devoted to Information Security Management in a field generally governed by “Guidelines” and “Best Practices”.
ISO 17799 defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of: –
- Confidentiality – ensuring that information is accessible only to those authorized to have access
- Integrity – safeguarding the accuracy and completeness of information and processing methods
- Availability – ensuring that authorized users have access to information and associated assets when required
As a Standard that is primarily conceptual, ISO 17799 is not: –
- A technical standard
- Product or technology driven
- Related to the five-part “Guidelines for the Management of IT Security,” or GMITS/ISO 13335, which provides a conceptual framework for managing IT security
HOW TO USE ISO 17799
Information security is, for most companies, of the highest concern yet can often mean trade-offs in terms of balancing the requirements of business against the need for confidentiality, integrity, and availability of information. Traditionally, information security management has been based on loosely established best practices and guidelines with the primary goal of preventing, detecting, and containing security breaches, and restoring affected data to its previous state.
ISO 17799 provides companies with an establish framework from which to build a robust and operational Information Security Management System (ISMS). As a comprehensive information security process, the ISO 17799 standard provides companies with the following benefits: –
- The creation of a defined process to evaluate, implement, maintain, and manage information security
- A structured security methodology recognized internationally
- Tailored policies, procedures and guidelines
- Enterprise wide operational cost savings
- Demonstration of comprehensive “due diligence”
- Better management of information security risks on a planned and ongoing basis
- Increased access to new customers and business partners through an improved corporate image
- The ability to demonstrate a commitment to information security while at the same time being able evaluate the security status of business partners
An Information Security Management System (ISMS) provides the information necessary to understand the information security policies and practices in place at the company. The standard for compliance and registration is BS 7999-2:1999. A supplementary document ISO 17799 is a Code of Practice document that gives recommendations for information security management.
The ISMS standard provides specific requirements for security controls and documents to be implemented and maintained in the company in a daily operation basis. In addition, the ISMS must include appropriate monitoring, reporting and review processes to ensure its effective functioning and to identify and implement corrective measures in a timely manner.
An ISMS is a continuous progression of compliance, improvement and prevention. The following outlines the basic requirements to obtain compliance: –
- Define the policy: The ISMS Policy describes a company’s shared vision, commitment and direction in information security. It gives a definition of information security, its objectives and scopes, the management intent, a brief explanation of the compliance requirements, information security responsibilities and the supporting documentations.
- Define the scope of the ISMS: Depending on the characteristics of the company such as its location, assets and technologies, it has to define the boundaries of its ISMS and set that as the scope.
- Undertake a risk assessment: Once the scope is defined, the company must undertake a risk assessment to evaluate the risk and threats to the information system and their respective impacts to the organization. When evaluating risks, the company should take into account at a minimum both the severity of the risks and their likelihood of happening.
- Manage the risk: Next the company has to determine how to manage the risks. Based on its information security policy and the degree of assurance required, the company has to prioritize the risks. Not all the high risks areas are required to be tackled. Backing up by proper decision process, the company can determine how it will deal with the prioritized risks.
- Select control objectives and controls to be implemented: A list of 10 control objectives and controls come with BS 7799-2:1999 with their respective recommended practices detailed in ISO 17799. The company has to select those controls that are appropriate to its operation for implementation. The selection should be justified.
- Prepare a statement of applicability: From the previous stage, the company has decided which control objectives and controls are selected for implementation. The reasons for its selection are required to be documented in the Statement of Applicability. Any exclusions and exceptions should be specified clearly in the Statement of Applicability too.