What is ISO 17799?

ISO 17799 is an information security code of practice. It includes a number of sections, covering a wide range of security issues. Broadly (very) the objectives of these are as follows:

1. Risk Assessment and Treatment
This section was an addition to the latest version, and deals with the fundamentals of security risk analysis..

2. System Policy
Objective:  To provide management direction and support for information security


3. Organizing Information Security

a) To manage information security within the organization   

b) Maintain the security of information and processing facilities with respect to external parties.


4. Asset Management

a) Achieve and maintain appropriate protection of organizational assets. 

b) Ensure that information receives an appropriate level of protection.


5. Human Resources Security

a) Ensure that employees, contractors and third parties are suitable for the jobs they are considered for, understand their responsibilities, and to reduce the risk of abuse (theft, misuse, etc).

b) Ensure that the above are aware of IS threats and their responsibilities, and able to support the organization's security policies

c) Ensure that the above exit the organization in an orderly and controlled manner.   


6. Physical and Environmental Security

a) Prevent unauthorized physical access, interference and damage to the organization's information and premises. 

b) Prevent loss, theft and damage of assets

c) Prevent interruption to the organization's activities.  


7. Communications and Operations Management

a) Ensure the secure operation of information processing facilities

b) Maintain the appropriate level of information security and service delivery, aligned with 3rd party agreements

c) Minimize the risk of systems failures

d) Protect the integrity of information and software

e) Maintain the availability and integrity of information and processing facilities

f) Ensure the protection of information in networks and of the supporting infrastructure

g) Prevent unauthorized disclosure, modification, removal or destruction of assets.

h) Prevent unauthorized disruption of business activities. 

i) Maintain the security of information and/or software exchanged internally and externally.

j) Ensure the security of e-commerce services 

k) Detect unauthorized information processing activities


8. Access Control

a) Control access to information

b) Ensure authorized user access

c) Prevent unauthorized access to information systems

d) Prevent unauthorized user access and compromise of information and processing facilities

e) Prevent unauthorized access to networked services

f) Prevent unauthorized access to operating systems

g) Prevent unauthorized access to information within application systems

h) Ensure information security with respect to mobile computing and teleworking facilities


9. Information Systems Acquisition, Development and Maintenance 

a) Ensure that security is an integral part of information systems

b) Prevent loss, errors or unauthorized modification/use of information within applications

c) Protect the confidentiality, integrity or authenticity of information via cryptography

d) Ensure the security of system files

e) Maintain the security of application system information and software

f) Reduce/manage risks resulting from exploitation of publiched vulnerabilities


10. Information Security Incident Management

a) Ensure that security information  is communicated in a manner allowing corrective action to be taken in a timely fashion

b) Ensure a consistent and effective approach is applied to the management of IS issues


11. Business Continuity Management

a) Counteract interruptions to business activities and protect critical processes from the effects of major failures/disasters

b) Ensure timely resumption of the above   


12. Compliance

a) Avoid the breach of any law, regulatory or contractual obligation and of any security requirement.

b) Ensure systems comply with internal security policies/standards

c) Maximize the effectiveness of and minimize associated interference from and to the systems audit process





Historical Development
The original version of the document upon which ISO 17799 is based (the "DTI Information Security Code of Practice") was much small in scope than the current, and identified 10 controls which were considered to be more important than the rest. These were known as 'Key Controls'.

By the time that the first version of ISO 17799 was published, in December 2000, these had been eliminated. However, the standard itself was still smaller than the present version, and comprised of ten main sections (chapters) as opposed to twelve.

In addition to the new sections, the current version, which was published in June 2005, introduced new controls to cover new emerging issues. Changes were also made to make the standard more 'user friendly' and to harmonize it with other management standards.

ISO 17799 identifies three controls as likely to be essential from a legislative perspective. These are:
15.1.4) Data protection and privacy of personal information
15.1.3) Protection of organizational records
15.1.2) Intellectual property rights

Common Practice
The standard also identifies a further seven controls which it considers to be 'common practice' for information security. These are:
5.1.1) Information security policy document
6.1.3) Allocation of information security responsibilities
8.2.2) Information security awareness, training and education
12.2) Correct processing in applications
12.6) Technical vulnerability management
14) Business continuity management
13.2) Management of information security incidents and improvements