Business Planning Survival Guide for Avian
Influenza Virus
ISO-17799 & BS-7799 are the latest in a series of management systems standards that face our organizations. Others that you might know about with are:
- ISO-9001 - Quality
- ISO-14001 - Environmental
- TS-16949 Automotive
- OHSAS 18001 - Occupational Health and Safety
There are many other that you have either heard of or more importantly, implemented and are currently using in your organization. All of these management system standards have been developed to satisfy concerns from, industry, customers, regulatory bodies, international trading partners.
ISO-17799 is an International recognized Information Security Management Standard. It was first published by the International Organization for Standardization (ISO) in December 2000. While there are other “Guidelines” and “Best Practices”, ISO-17999 is the only Standard for Information Security Management.
History of standards BS-7799 and ISO-17799
ISO-17799 is a direct descendant of the British Standard Institute (BSI) Information Security Management standard BS-7799. In response to industry concerns and demands, a working group devoted to Information Security was first established in the early 1990’s, culminating in a “Code of Practice for Information Security Management” in 1993. This work evolved into the first version of BS-7799 standard released in 1995
In the late 1990’s, in response to industry demands, the BSI formed a program to accredit auditing firms or “Certification Bodies” as competent to BS-7799. This scheme is know as C:Cure. Simultaneously, a steering committee was formed, resulting with the update and release of BS-7799 in 1998 and then again in 1999. The BS-7799 standard now consists of: Part 1: Code of Practice, and Part 2: Specification of Information Security Management Systems
By this time, some organizations utilized the BS-7799 standard, demand grew for an internationally recognized information standard under the aegis of an international recognized body, such as the ISO. This demand led to the “fast tracking” of BS-7799 Part 1 by the BSI, resulting in its first release by ISO as ISO/IEC 17799:2000 in December 2000. As of September 2001, only BS-7799 Part 1 has been accepted by for ISO standardization because it is applicable internationally and across all types of organizations. Movement to submit BS-7799 Part 2 for ISO Standardization has been withdrawn.
It is important to understand the distinctions between Part 1 and Part 2 of the BS-7799 standard in order to later understand the dilemma facing conformance assessment.
Part 1 is an implementation guide, based on suggestions. It is used as a means to evaluate and build sound and comprehensive information security infrastructure. It details information security concepts an organization “should do”.
Part 2 is an auditing guide based on requirements. To be certified as BS-7799 complaint, organizations are audited to Part 2. It details information security concepts an organization “shall do”.
Information Security - As defined by ISO-17799, information security is characterized as the preservation of:
ISO-17799 consists of:
The 10 controls clauses of ISO-17799
| ISO-17799 Controls |
| Security policy |
| Organizational security |
| Asset classification and control |
| Personnel security |
| Physical and environmental security |
| Communications and operations management |
| Access control |
| System development and maintenance |
| Business continuity management |
| Compliance |
36 control objectives
| Control Objectives |
| Information security policy |
| Information security infrastructure |
| Security of third party access |
| Outsourcing |
| Accountability for assets |
| Information classifications |
| Security in job definition and resourcing |
| User training |
| Responding to security incidents and malfunctions |
| Secure areas |
| Equipment security |
| General controls |
| Operational procedures and responsibilities |
| System planning and acceptance |
| Protection against malicious software |
| Housekeeping |
| Network management |
| Media handling and security |
| Exchanges of information and software |
| Access Control |
| Use access management |
| User responsibilities |
| Network access control |
| Operating system access control |
| Application access control |
| Monitoring system access and use |
| Mobile computing and teleworking |
| Security requirements of systems |
| Security in application system |
| Cryptographic controls |
| Security of systems files |
| Security in development and support process |
| Aspects of business continuity management |
| Compliance with legal requirements |
| Review of security policy & technical complaince |
| System audit consideration |
Not all of this may be applicable to all organizations, and additional ones may be required for more security sensitive areas
Information is defined as an ASSET by ISO-17799, that may exist in many forms and has value to an organization.
Assets include:
Terms and Definitions: ISO-17799
Information Security - As defined by ISO-17799, information security is characterized as the preservation of: Confidentiality - ensuring that information is accessible only to those authorized to have access. Integrity - safeguarding the accuracy and completeness of information and processing methods. Availability - ensuring that authorized users have access to information and associated assets when required.
Risk assessment - Assessment of threats to, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.
Risk management - Process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost.. ISMS - Information System Management System
ISO-17799 is not
A governmental requirement
A technical standard Product or technology driven An equipment methodology such as the Common Criteria / ISO 15408, which deals with the functional and assurance requirements of specific equipment.
Related to the “General Accepted System Security Principles” or “GASSP”, which is a collection of security best practices.
Related to the five-part “Guidelines for the Management of IT Security”, or
GMITS / ISO-13335, which provides a conceptual framework for managing IT security.
Benefits of ISO-17799
Arguably, perfect security may be achieved only for networkless servers located in rooms without doors. Information security is always a matter of trade-offs, balancing business requirements against the triad of confidentially, integrity and availability. The information security process has traditionally been based on sound best practices and guidelines, with the goal being to prevent, detect and contain security breaches, and to restore affected data to its previous state. While this cumulative wisdom of the ages is valid, it is also subjuct to various interpretations and implementations. ISO-17799 offers a benchmark against which to build organizational information security. It also offers a mechanism to manage the information security process.
ISO-17799 is a comprehensive information security process that affords enterprises the following benefits: An internationally recognized, structured methodology A defined process to evaluate, implement, maintain,and manage information security A set of tailored policies, standards, procedures, and guidelines Certification allows organizations to demonstrate their own and valuate their trading partner’s information security status Certification shows “due diligence” For some organizations, such as those requiring high degrees of assurance, ISO-17799 certification may become mandatory. To other organizations, certification may be a marketing tool.
