As information security become increasingly important to the continue success for businesses, many are seeking an appropriate security framework. The ISO 17799 standard is widely becoming the choice for many. While this standard provides only a high-level description for implementing and maintaining information security, it should be a starting point for any organization trying to implement a comprehensive information security strategy. This is the first article in a series of eleven devoted to reviewing this ISO 17799 standard. In part one, the following information will be addressed. First, an overview of what the standard is and how it should be used. Second, it will review the structure of the standard; this is vital for any successful analysis. Last, it will examine the Security policy control clause, as outlined by the standard. Subsequent articles will continue reviewing the other ten security control clauses mentioned in the standard.
ISO 17799: What is it?
According to the ISO, the ISO 17779 ‘establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization.’ As mentioned, the standard simply offer guidelines, it does not contain indebt information on how information security should be implemented and maintained.
The security controls, the means of managing risk, mentioned in this standard should not all be implemented. The appropriate controls should be selected after an in dept risk assessment has been completed. Only then should controls be selected to meet the specific needs of the organization. Each organization is unique; therefore each will face different threats and vulnerabilities. It is also important to understand that the controls mentioned in the standard are not organized or prioritized according to any specific criteria. Each control should be given equal importance and considered at the systems and projects requirements specification and design stage. Failure to do this will result in less cost effective measures or even failure in achieving adequate security.
The last point that should be highlighted about the standard is the ISO warning that no set of controls will achieve complete security. The ISO encourages additional intervention from management to monitor, evaluate and improve the effectiveness of security controls to support the business objectives of the organization.
This document is in PDF format. To view it click here.