Impruve - ISO17799

ISO17799

The information security lifecycle begins with a risk assessment, followed by actions involving policy and/or technology.
The structure of the risk assessment actually drives the organization onto a path that can be (in part) determined by the management of the organization. Based on questions during the risk assessment phase, a comparison is made of the organization’s security posture with respect to a standard. The most universally accepted standard today is ISO 17799.

ISO 17799 was updated in June 2005. This second edition is used for all security services that Impruve offers. In some of our documents, we use the 17799:2005 label to highlight the fact that the second edition is being referenced.

ISO 17799:2005 is organized in 16 chapters, called clauses in the 17799 terminology. It could be a bit confusing if you are reviewing the document since they start with chapter 0.

The first five; Introduction, Scope, Terms and Definitions, Structure of this Standard, and Risk Assessment and Treatment are typically omitted they contain no specific security controls. The remaining clauses are:

• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity management
• Compliance

The actual standard is available from the ISO web site. It is not a free download but can be purchased for roughly $160 (pricing is currently (April 2006) 200.00 Swiss Francs).

More information can be found at:
http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html

Synergy in Security (Download PDF, 544 KB)
Why a combined ISO 17799 and OCTAVE approach makes sense. This paper was written before the second edition was published, so is based on the first, 17799:2000 edition.

Or contact Impruve for any questions. We have tailored our policies and risk assessment methodologies for 17799:2005 compliance. This is valuable for those organizations who wish to model their security program in line with the standard.