ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000. ISO 17799 is high level, broad in scope, and conceptual in nature. This approach allows it to be applied across multiple types of enterprises and applications. It has also made the standard controversial among those who believe standards should be more precise. In spite of this controversy, ISO17799 is the only "standard" devoted to Information Security Management in a field generally governed by "Guidelines" and "Best Practices."
ISO 17799 defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of:
o Confidentiality - ensuring that information is accessible only to those authorized to have access. o Integrity - safeguarding the accuracy and completeness of information and processing methods. o Availability - ensuring that authorized users have access to information and associated assets when required.
As a standard that is primarily conceptual, ISO 17799 is not:
o A technical standard o Product or technology driven oAn equipment evaluation methodology such as the Common Criteria/ ISO 15408 (www.commoncriteria.org), which deals with functional and assurance requirements of specific equipment. oRelated to the "Generally Accepted System Security Principles," or GASSP (http://web.mit.edu/ist/topics/securityl), which is a collection of security best practices. o Related to the five-part "Guidelines for the Management of IT Security", or GMITS/ ISO 13335, which provides a conceptual framework for managing IT security.
While ISO 17799 only covers the selection and management of information security controls, these controls may:
o Require utilization of a Common Criteria Equipment Assurance Level (EAL). o Incorporate GASSP guidelines. o Implement GMITS concepts.
ISO 17799 is a direct descendant of the British Standard Institute (BSI) Information Security Management standard BS 7799. The BSI (www.bsi-global.com) has long been proactive in the evolving arena of Information Security. In response to industry demands, a working group devoted to Information Security was first established in the early 1990's, culminating in a "Code of Practice for Information Security Management" in 1993. This work evolved into the first version of the BS 7799 standard released in 1995. In the late 1990's, in response to industry demands, the BSI formed a program to accredit auditing firms, or "Certification Bodies," as competent to audit to BS 7799. This scheme is known as c:cure ( www.c-cure.org ). Simultaneously, a steering committee was formed, culminating with the update and release of BS 7799 in 1998 and then again in 1999. The BS 7799 standard now consists of Part 1: Code of Practice, and Part 2: Specification of Information Security Management Systems.
By this time, information security had become headline news and a concern to computer users worldwide. While some organizations utilized the BS 7799 standard, demand grew for an internationally recognized information security standard under the aegis of an internationally recognized body, such as the ISO. This demand led to the "fast tracking" of BS 7799 Part 1 by the BSI, culminating in its first release by ISO as ISO/IEC 17799:2000 in December 2000. As of September 2001, only BS 7799 Part 1 has been accepted for ISO standardization because it is applicable internationally and across all types of organizations. Movement to submit BS 7799 Part 2 for ISO standardization has been withdrawn. BS 7799 Part 1 (ISO 17799) versus BS 7799 Part 2.
It is important to understand the distinctions between Part 1 and Part 2 of the BS 7799 standard in order to later understand the dilemma facing conformance assessment. Part 1 is an implementation guide, based on suggestions. It is used as a means to evaluate and build sound and comprehensive information security infrastructure. It details information security concepts an organization "should" do. BS 7799 Part 2 is an auditing guide based on requirements. To be certified as BS 7799 compliant, organizations are audited against Part 2. It details information security concepts an organization "shall" do. This rigidity precluded widespread acceptance and support.
Benefits of ISO 17799
Arguably, perfect security may be achievable only for networkless servers located in rooms without doors. Information security is always a matter of trade-offs, balancing business requirements against the triad of confidentiality, integrity, and availability. The information security process has traditionally been based on sound best practices and guidelines, with the goal being to prevent, detect, and contain security breaches, and to restore affected data to its previous state. While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and implementations. ISO 17799 offers a benchmark against which to build organizational information security. It also offers a mechanism to manage the information security process. ISO 17799 is a comprehensive information security process that affords enterprises the following benefits:
o An internationally recognized, structured methodology o A defined process to evaluate, implement, maintain, and manage information security. o A set of tailored policies, standards, procedures, and guidelines o Certification allows organizations to demonstrate their own and evaluate their trading partners' information security status. o Certification shows "due diligence". For some organizations, such as those requiring high degrees of assurance, ISO 17799 certification may become mandatory. To other organizations, certification may be a marketing tool.
Security Policy
Security Policy control addresses management support, commitment, and direction in accomplishing information security goals, including: Information Security Policy document - a set of implementation independent, conceptual information security policy statements governing the security goals of the organization. This document, along with a hierarchy of standards, guidelines, and procedures, helps implement and enforce policy statements. Ownership and review - Ongoing management commitment to information security is established by assigning ownership and review schedules for the Information Security Policy document.
Organizational Security
Organizational Security control addresses the need for a management framework that creates, sustains, and manages the security infrastructure, including:
o Management Information Security Forum - provides a multi-disciplinary committee chartered to discuss and disseminate information security issues throughout the organization. o Information System Security Officer (ISSO) - acts as a central point of contact for information security issues, direction, and decisions. o Information Security responsibilities - individual information security responsibilities are unambiguously allocated and detailed within job descriptions. o Authorization processes - ensures that security considerations are evaluated and approvals obtained for new and modified information processing systems. o Specialist information - maintains relationships with independent specialists to allow access to expertise not available within the organization. o Organizational cooperation - maintains relationships with both information-sharing partners and local law-enforcement authorities. o Independent review - mechanisms to allow independent review of security effectiveness. o Third-party access - mechanisms to govern third-party interaction within the organization based on business requirements. o Outsourcing - organizational outsourcing arrangements should have clear contractual security requirements.
ISO 27001
ISO 27001 provides just such a solution. It focuses on the confidentiality, availability and integrity of data and its key precepts and requirements all occur in the regulatory requirements. Implementation of an ISO 27001 framework enables an organization to comply, at one step (and subject to specific documentation and working practices tailored for each individual regulation), with all the core requirements of information related regulation anywhere in the world..
With over 600 clients in 40 countries Proteus Enterprise™ is the most widely used BS 7799 / ISO 17799/ISO 27001 compliance software.
Distributed by the British Standards Institution (BSI), it is recognized as the leading BS 7799 / ISO 17799/ISO 27001 compliance software.
Proteus Enterprise™ comprises a range of integrated modules for Compliance, Risk Management and Corporate Governance. The Enterprise solution can be delivered as an intranet server or hosted web server application. Deployment is quick, easy and reliable. Our largest clients span thousands of sites in hundreds of countries, but the same software can be installed on a stand-alone PC for single user applications for internal company use (Proteus Solo™) or for delivery of consultancy services (Proteus Professional™).
