What is ISO 17799?

Critical Success Factors

The ISO 17799 document identifies ten factors which are considered to be essential for the successful implementation of security.

These are:
- An approach to the IS process which aligns with company culture
- IS policy, objectives and activities that reflect business objectives
- Open security commitment from all levels of management
- Good distribution of guidance on IS policy/standards
- Implementation of an effective IS measurement system
- Proper funding of IS activities
- Adequate awareness, education and training
- Creation of a sound IS incident management process
- A good understanding of IS requirements and risk
- Effective security awareness 'marketing' throughout

What is ISO 17799?

ISO 17799 is an information security code of practice. It includes a number of sections, covering a wide range of security issues. Broadly (very) the objectives of these are as follows:

1. Risk Assessment and Treatment
This section was an addition to the latest version, and deals with the fundamentals of security risk analysis..

2. System Policy
Objective: To provide management direction and support for information security

3. Organizing Information Security
Objectives:

a) To manage information security within the organization

b) Maintain the security of information and processing facilities with respect to external parties.

4. Asset Management
Objectives:

a) Achieve and maintain appropriate protection of organizational assets.

b) Ensure that information receives an appropriate level of protection.

5. Human Resources Security
Objectives:

a) Ensure that employees, contractors and third parties are suitable for the jobs they are considered for, understand their responsibilities, and to reduce the risk of abuse (theft, misuse, etc).

b) Ensure that the above are aware of IS threats and their responsibilities, and able to support the organization's security policies

c) Ensure that the above exit the organization in an orderly and controlled manner.

6. Physical and Environmental Security
Objectives:

a) Prevent unauthorized physical access, interference and damage to the organization's information and premises.

b) Prevent loss, theft and damage of assets

c) Prevent interruption to the organization's activities.

7. Communications and Operations Management
Objectives:

a) Ensure the secure operation of information processing facilities

b) Maintain the appropriate level of information security and service delivery, aligned with 3rd party agreements

c) Minimize the risk of systems failures

d) Protect the integrity of information and software

e) Maintain the availability and integrity of information and processing facilities

f) Ensure the protection of information in networks and of the supporting infrastructure

g) Prevent unauthorized disclosure, modification, removal or destruction of assets.

h) Prevent unauthorized disruption of business activities.

i) Maintain the security of information and/or software exchanged internally and externally.

j) Ensure the security of e-commerce services

k) Detect unauthorized information processing activities

8. Access Control
Objectives:

a) Control access to information

b) Ensure authorized user access

c) Prevent unauthorized access to information systems

d) Prevent unauthorized user access and compromise of information and processing facilities

e) Prevent unauthorized access to networked services

f) Prevent unauthorized access to operating systems

g) Prevent unauthorized access to information within application systems

h) Ensure information security with respect to mobile computing and teleworking facilities

9. Information Systems Acquisition, Development and Maintenance
Objectives:

a) Ensure that security is an integral part of information systems

b) Prevent loss, errors or unauthorized modification/use of information within applications

c) Protect the confidentiality, integrity or authenticity of information via cryptography

d) Ensure the security of system files

e) Maintain the security of application system information and software

f) Reduce/manage risks resulting from exploitation of publiched vulnerabilities

10. Information Security Incident Management
Objectives:

a) Ensure that security information is communicated in a manner allowing corrective action to be taken in a timely fashion

b) Ensure a consistent and effective approach is applied to the management of IS issues

11. Business Continuity Management
Objectives:

a) Counteract interruptions to business activities and protect critical processes from the effects of major failures/disasters

b) Ensure timely resumption of the above

12. Compliance
Objectives:

a) Avoid the breach of any law, regulatory or contractual obligation and of any security requirement.

b) Ensure systems comply with internal security policies/standards

c) Maximize the effectiveness of and minimize associated interference from and to the systems audit process

Historical Development

The original version of the document upon which ISO 17799 is based (the "DTI Information Security Code of Practice") was much small in scope than the current, and identified 10 controls which were considered to be more important than the rest. These were known as 'Key Controls'.

By the time that the first version of ISO 17799 was published, in December 2000, these had been eliminated. However, the standard itself was still smaller than the present version, and comprised of ten main sections (chapters) as opposed to twelve.

In addition to the new sections, the current version, which was published in June 2005, introduced new controls to cover new emerging issues. Changes were also made to make the standard more 'user friendly' and to harmonize it with other management standards.

Legislation

ISO 17799 identifies three controls as likely to be essential from a legislative perspective. These are:
15.1.4) Data protection and privacy of personal information
15.1.3) Protection of organizational records
15.1.2) Intellectual property rights

Common Practice

The standard also identifies a further seven controls which it considers to be 'common practice' for information security. These are:
5.1.1) Information security policy document
6.1.3) Allocation of information security responsibilities
8.2.2) Information security awareness, training and education
12.2) Correct processing in applications
12.6) Technical vulnerability management
14) Business continuity management
13.2) Management of information security incidents and improvements