ISO / IEC 17799 - Information Security Standard

Formerly a British Standard (BS 7799-1:1999), this is now the international standard setting out how businesses should conduct the management of their information security requirements.

Code of practice for Information Security Management

A number of different ‘security standards’ have been published over the last ten years by different bodies.  These include a variety of publications by formal bodies such as the US body National Institute for Science and Technology (NIST) see www.nist.gov, the ISO/IEC technical report General Management of IT Security (GMITS), the International Information Security Foundation (I²SF), Generally Accepted System Security Principles (GASSP), the OECD security principles; whilst in other domains the Internet references:

• http://www.e-security-e-commerce-security.com
• http://www.information-security-policies-and-standards.com
• http://www.information-security-policies.com
• http://www.iso17799software.com

ISO 17799 is steadily gaining ground as an internationally accepted and implemented standard, having been mandated for use in all UK government departments and adopted in Australia, Brazil, Japan, Netherlands and Sweden.

The standard identifies a number of ‘critical success factors’ that an organization must achieve if it is to be successful implementing information  security.  These include: having policies that reflect business objectives, using an approach consistent with organizational culture, commitment from management, a good understand of requirements, effective policy promulgation, suitable training and education, and feedback to ensure continuous improvement.

Over 100 potential controls are identified, split over twelve general topic headings.  These have been found to be generally appropriate to meet most organization’s information security needs, whether information is held on paper or stored in computer systems.  Small and Medium Enterprises (SMEs) may not need to consider all the controls, or may rely on the capabilities of commercial package products to provide and support the controls that they need.  Government departments may need to take account of the policies set by national security that may add requirements not covered by ISO 17799.  Banks and similar organizations may also have requirements that exceed the points listed in the standard.

There is a separate standard, BS 7799 Part 2:1999, which sets out the requirements where an organization wishes to have its management procedures (the Information Security Management System – ISMS) certified.  The general approach to this kind of certification will be immediately familiar to those already certified under ISO 9000/14000.  The important distinctions are the need to have carried out the process of a risk analysis, there being justification for the controls that have been selected, that there is a process for continual improvement, and that the management controls operate correctly and are adequate for their purpose.  If an organization has already had its information security management processes evaluated under ISO 9000/14000 there addition of the requirements for BS 7799-2 should not be very large or onerous.

ArticSoft products have been designed to help organizations of any size comply with requirements for adequate information security without requiring complex procedures, controls and implementation.