REGULATORY
COMPLIANCE
 

HOME
  Compliance Info....
 
  Sarbanes-Oxley Compliance
  OSHA Compliance
  HIPAA Compliance
  OFAC Compliance
  Environmental Compliance
  ROHS Compliance
  Compliance Software
  ISO 17799
  ISO 9000
  ISO 14000

 

ISO 17799 | IEC 17799

ISO 17799 is an information security standard published in 2005 by the International Organization for Standardization and the International Electrotechnical Commission.

It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version published in 2000, which was a word-for-word copy of the British Standard BS 7799-1:1999.

ISO/IEC 17799 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems.

Information security is defined within the standard as the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).

The 2005 version of the standard contains the following eleven main sections:

  • Security policy
  • Organization of information security
  • Asset management
  • Human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development and maintenance
  • Information security incident management
  • Business continuity management
  • Compliance
Within each section, information security control objectives are specified and a range of controls are outlined that are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since (a) each organization is expected to undertake a structured information security risk assessment process to determine its requirements before selecting controls that are appropriate to its particular circumstances (the introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO Technical Report TR 13335 GMITS Part 3 - Guidelines for the management of IT security - Security Techniques); and (b) it is practically impossible to list all conceivable controls in a general purpose standard.

ISO/IEC 17799 has directly equivalent national standards in countries such as Australia and New Zealand (AS/NZS 7799), the Netherlands (SPE 20003), Sweden (SS 627799), Japan (JIS X 5080), UNE 71501 (Spain) and the United Kingdom (BS 7799-1:1999, the original standard). Not all of these countries have already adopted the 2005 version.

ISO/IEC 17799:2005 will be renamed to ISO/IEC 27002 in the future. The 27000 series of standards is now reserved for information security matters.

Source: Wikipedia

www.compliancesources.com is NOT affiliated with ISO in any way. We provide information and supported by advertising.

ISO 17799 | IEC 17799