ISO 17799 is an information security code of practice. It includes a number of sections, covering a wide range of security
issues. Broadly (very) the objectives of these are as follows:
1. Risk Assessment and Treatment
This section was an addition to the latest version, and deals with the
fundamentals of security risk analysis..
2. System Policy
Objective: To provide management direction and support for information
Organizing Information Security
manage information security within the organization
Maintain the security of information and processing facilities with respect to
and maintain appropriate protection of organizational assets.
that information receives an appropriate level of protection.
Human Resources Security
that employees, contractors and third parties are suitable for the jobs they are
considered for, understand their responsibilities, and to reduce the risk of
abuse (theft, misuse, etc).
that the above are aware of IS threats and their responsibilities, and able to
support the organization's security policies
that the above exit the organization in an orderly and controlled
Physical and Environmental Security
unauthorized physical access, interference and damage to the organization's
information and premises.
loss, theft and damage of assets
interruption to the organization's activities.
Communications and Operations Management
the secure operation of information processing facilities
Maintain the appropriate level of information security and service delivery,
aligned with 3rd party agreements
Minimize the risk of systems failures
the integrity of information and software
Maintain the availability and integrity of information and processing facilities
the protection of information in networks and of the supporting infrastructure
unauthorized disclosure, modification, removal or destruction of assets.
unauthorized disruption of business activities.
Maintain the security of information and/or software exchanged internally and
the security of e-commerce services
unauthorized information processing activities
access to information
Ensure authorized user access
Prevent unauthorized access to information systems
Prevent unauthorized user access and compromise of information and processing
Prevent unauthorized access to networked services
Prevent unauthorized access to operating systems
Prevent unauthorized access to information within application systems
Ensure information security with respect to mobile computing and teleworking
Information Systems Acquisition, Development and Maintenance
Ensure that security is an integral part of information systems
Prevent loss, errors or unauthorized modification/use of information within
Protect the confidentiality, integrity or authenticity of information via
Ensure the security of system files
Maintain the security of application system information and software
Reduce/manage risks resulting from exploitation of publiched vulnerabilities
Information Security Incident Management
that security information is communicated in a manner allowing corrective
action to be taken in a timely fashion
a consistent and effective approach is applied to the management of IS issues
Business Continuity Management
Counteract interruptions to business activities and protect critical processes
from the effects of major failures/disasters
timely resumption of the above
the breach of any law, regulatory or contractual obligation and of any security
systems comply with internal security policies/standards
Maximize the effectiveness of and minimize associated interference from and to
the systems audit process