ISO 17799

ISO 17799 is now established as the de facto standard for information security. Over the years, as its influence has increased, it has also matured in terms of scope and supporting infrastructure. A second part has been established (BS7799) to cover management systems, and compliance and certification schemes are now well trodden paths.

The ISO 17799 Implementation and Resource Portal is intended to assist both newcomers and experienced security practitioners in terms of aggregating the key information and resources to move forward with the standard. It is intended to serve as a genuine launch pad for all needs with respect to both ISO 17799 and BS7799.

The portal offers a whole range of information, resources, templates, tools and news. It is also developing fast, and as a 'living site' contributions are always welcome.

WHAT IS ISO 17799?
ISO 17799 itself is actually a code of practice. It details over 130 specific controls, categorized into around 36 control objectives, listed in 11 distinct chapters. More details on these are provided HERE.

Confusion occasionally arises because of the existance of a 'second part'', which is known as BS7799. This, however, is NOT a code of practice, but is a specification for an Information Security Management System (ISMS).

The standard is a copyrighted publication, and is available through official and authorized sources. The most well known is probably BSI's electronic shop, Standards Direct, which provides the standard as a download in PDF format: ISO 17799 Download

The standard is also available as part of the ISO 17799 Toolkit, which is a specifically designed starter kit for the standard: ISO 17799 Toolkit

The need for a comprehensive and detailed set of information security policies is a basic requirement of the standard. This is not only emphasized by the fact that policy, and policy management, is afforded a complete section within the standard, but by the status of policies within BS7799.

An aligned set of policies is, of course, included within the above toolkit. To help demonstrate the depth of content required, we are pleased to be able to provide an insight into these via the ISO 17799 Policy Content List
Since initial publication of the standard, a number of resources have emerged to assist ISO 17799 implementation. We will shortly be providing a directory of some of the major players.

The ISO17799 Newsletter is a long established quarterly (approx) email publication dedicated specifically to the standard. It's subscription base is 12,000 strong, and it provides all the latest news, along with tips and general security advice.

To subscribe to it, simply send an email to us with a title of 'ISO17799 Newsletter Subscription'. This will automatically forward to the publishers.
How has the standard evolved? What is its history? How have other organizations implemented it? What is on the horizon for the future? These are all common questions and issues. Hopefully, this section will answer some or all of them.

We are also expanding our sections on risk analysis, and our library of security books.

Hopefully you will have found this portal to be of value. However, if you need further information, or perhaps wish to contribute some information, please do not hesitate to contact us directly.


Quick Questions
What is PDCA?
This is short for "Plan-Do-Check-Act", which is a simple management model used in BS 7799-2.

What is Certification and Accreditation?
An accreditation body is an organization (usually national) that grants third parties the authority to issue 'certificates' (to certify) against standards. This third party is the certification company.

How Should Security Requirements Be Established?
ISO 17799 suggests three sources: riskassessment; contractual, legal and regulatory; internal principles, objectives and requirements.

Who Wrote The Standard?
It was initially produced by a BSI/DISC committee, including representatives from commerce and industry. It was later reviewed by ISO, again using significant consultation mechanisms.

How Does It Fit With ISO 9000?
It (BS7799-2) is currently being "harmonized" with other management standards, including ISO 9001 and ISO 14001.

Can I Obtain a Free Copy?
No. It is copyrighted material and must be purchased as with any other similar standard.

Is there an International User Group?
There is an informal online user group at

We may accept adverts in the future. Please contact us for details.


  2018 ISO 17799 Portal (DenialInfo). Ax