ISO 17799
information security code of practice
ISO 17799
Sound information security is the cornerstone of sensible corporate governance. The emergence of an international standard to support this, was perhaps, inevitable.
WHAT IS ISO 17799
ISO/IEC 17799 is an information security standard published in December 2000 by the International Organization for Standardization and the International Electrotechnical Commission in 2000 entitled Information technology.
The standard effectively comprises of two parts:
a) Part 1: ISO/IEC 17799:2000
This is essentially the set of security controls: the measures and safeguards for potential implementation. In volume it is the main body of the overal 'standard set' itself.
The contents of this part are as follows:
- 1. Scope
- 2. Terms and definitions
- 3. Security Policy
- 3.1. Information Security POlicy
- 4. Security Organization
- 4.1 Information Security Infrastructure
- 4.2 Security and Third Party Access
- 4.3 Outsourcing
- 5. Asset Classification and Control
- 5.1 Accountability for assets
- 5.2 Information Classification
- 6. Personnel Security
- 6.1 Security in Job Definition and Resourcing
- 6.2 User Training
- 6.3 Responding to Security Incidents and Malfunctions
- 7. Physical and Environmental Security
- 7.1 Secure Areas
- 7.2 Equipment Security
- 7.3 General Controls
- 8. Communications and Operations Management
- 8.1 Operational Procedures and Responsibility
- 8.2 System Planning and Acceptance
- 8.3 Protection Against Malicious Software
- 8.4 Housekeeping
- 8.5 Network Management
- 8.6 Media Handling and Security
- 8.7 Exchanges of Information and Software
- 9 Access Control
- 9.1 Business Requirement for Access Control
- 9.2 User Access Management
- 9.3 User Responsibilities
- 9.4 Network Access Control
- 9.5 Operating System Access Control
- 9.6 Application Access Management
- 9.7 Monitoring System Access and Use
- 9.8 Mobile Computing and Telenetworking
- 10. System Development and Maintenance
- 10.1 Security Requirements of Systems
- 10.2 Security in Application Systems
- 10.3 Cryptographic Controls
- 10.4 Security of System Files
- 10.5 Security in Development and Support Processes
- 11. Business Continuity Management
- 11.1 Aspects of Business Continuity Management
- 12. Compliance
- 12.1 Compliance with Legal Requirements
- 12.2 Reviews of Security Policy and Technical Compliance
- 12.3 System Audit Considerations
b) Part 2: BS7799-2:1999
This is the 'specification' for an Information Security Management System (ISMS). It is the means to measure, monitor and control security management from a top down perspective. It essentially explains how to apply ISO 17799 and it is this part that can currently be certified against.
Part 2 defines a six part 'process', roughly as follows:
- Define a security policy
- Define the scope of the ISMS
- Undertake a risk assessment
- Manage the risk
- Select control objectives and controls to be implemented
- Prepare a statement of applicability.
This possibly illustrates why risk analysis and security policies are so fundamental to progress with this standard.
ADVANTAGES - ISO 17799
- A rise in the number of customers by maintaining the customer information confidentially.
- Committed Top Management.
- Lets the Organization to have more serious focus on the little scraps of information.
- Volume of data maintenance can be reduced - when classification of data is done redundant data can be eliminated.
- Availability of a security policy and regulations make it easier to resolve security incidents.
- Availability of a business continuity process.
WHY SAG Management Services Pvt. Ltd.
SAG Management Services Pvt. Ltd. has an enviable record for customer satisfaction for its certification services. A friendly approach and a dislike of bureaucracy has led to unprecedented growth through referrals from contented clients.
COST
Please fill a simple questionnaire and we will get in touch with you with our most competitive rates.