ISO 17799 2000


ISO 17799 2000 is OBSOLETE. Please see ISO IEC 27002 2013.


ISO is the International Organization for Standardization. It was set up in 1947 and is located in Geneva, Switzerland. Its purpose is to develop standards that support and facilitate international trade. IEC is the International Electrotechnical Commission. It was set up in 1906 and is also located in Geneva, Switzerland. Its purpose is to develop standards for all types of electrotechnologies. Both ISO and IEC are supported by national member bodies. These member bodies participate in the standards development process through technical committees.

The ISO/IEC 17799 standard started out as a British standard called BS 7799. The BS 7799 standard was developed by the British Standards Institution. It became the ISO/IEC 17799 standard when a joint ISO/IEC technical committee adopted the standard for international use.  This joint committee is called ISO/IEC JTC 1 and is responsible for all information technology standards.

Once this ISO/IEC information technology committee adopted the ISO/IEC 17799 standard, it was circulated to member organizations for approval. The ISO/IEC 17799 standard was formally approved during the year 2000, and finally published on December 1, 2000.

ISO/IEC 17799

According to the standard’s official title page, ISO/IEC 17799 is made up of information security management practices. In the Scope section (part 1) of the standard, ISO/IEC says that the standard consists of recommendations. Therefore, we can say that the standard defines a set of recommended practices. Or more precisely, we can say that the standard defines a set of recommended information security management practices.

It’s important to think of the standard as a set of recommendations because ISO/IEC does not expect you to apply every piece of the standard. Instead, ISO/IEC suggests that you merely consider each recommendation as you try to improve your information security program.

You don’t have to accept every recommendation. It all depends on your information security needs. If a particular recommendation helps you to address an important security need, then accept it.
Otherwise, ignore it.

Information Security

The ISO/IEC 17799 2000 standard is all about information. Since information can exist in many forms, the ISO/IEC 17799 standard takes a very broad approach. In the context of this standard, the term information includes at least the

  • Electronic files
    • Software files
    • Data files
  • Paper documents
    • Printed materials
    • Hand written notes
    • Photographs
  • Recordings
    • Video recordings
    • Audio recordings
  • Communications
    • Conversations
      • Telephone conversations
      • Cell phone conversations
      • Face to face conversations
    • Messages
      • Email messages
      • Fax messages
      • Video messages
      • Instant messages
      • Physical messages

From the standpoint of an organization, information has value and is therefore an asset. It therefore needs to be protected just like any other corporate asset. And because information must be protected, the infrastructure that supports information must also be protected. This infrastructure includes all the networks, systems, and functions that allow an organization to manage and control its information assets. The big question is how do you protect your information assets? That’s where the ISO/IEC 17799 standard comes in. It tries to tell you what you can do to protect your organization’s information assets.

But why should information assets need to be protected? Information needs to be protected because modern organizations are faced with a wide range of security threats. These threats include everything from human error and equipment failure, to theft, fraud, vandalism, sabotage, fire, flood, and even terrorism.

And what exactly is being protected? According to ISO/IEC information security is all about protecting the confidentiality, integrity, and availability of information. That’s what you have to protect. And because these terms are central to what the standard is all about, ISO/IEC has tried to define them (in part 2 of the standard). According to ISO/IEC 17799:

  • To preserve the confidentiality of information means to ensure that it can only be accessed by people who have been given formal authorization to do so.

  • To preserve the integrity of information means to protect the accuracy and completeness of information and the methods that are used to process it.

  • To preserve the availability of information means to ensure that authorized users have access to information and associated assets when required.

Your Security Risks

ISO/IEC suggests that you begin by identifying your organization’s information security risks and needs.
They suggest that you identify your security risks
and needs in the following way:

  1. Perform a risk assessment. Identify major security threats and vulnerabilities. Then determine how likely it is that each threat and vulnerability will cause a security incident. And then evaluate the potential impact each incident could have on your organization. This will help you to pinpoint your organization’s unique information security risks and needs.
  2. Study your legal requirements. Study all the legal, statutory, regulatory, and contractual requirements that your organization, its trading partners, contractors, and service providers must meet. Look for all the information security requirements that must be met. This will help you to identify your organization’s unique legal information security risks and needs.

  3. Examine your own requirements. Examine your organization’s own information processing principles, objectives, and requirements. Study the information processing methods and practices that your organization has developed in order to support its operations. This will help you to identify and refine your organization’s unique information security risks and needs.

Your Security Program

Once you’ve identified your information security risks and needs, you can begin to develop or improve your own information security program. Choose from the security practices recommended by this ISO/IEC 17799 standard. Select the practices that address the security risks that you face, the ones that meet your unique security needs, and ignore the ones that don’t.

ISO/IEC suggests that the following security practices are a good place to start, and therefore ought to be at the center of your information security program:

  • Common best practices:
    • Develop an information security policy document.
    • Allocate responsibility for information security.
    • Report security incidents to management.
    • Design a continuity management process.
    • Provide security training and education.
  • Common legislated practices:

    • Respect intellectual property rights.
    • Safeguard your organization’s records.
    • Protect the privacy of personal information.

Your Success Factors

According to ISO/IEC, your organization’s information security program will be more successful if you accept the following suggestions:

  • Make sure that your senior management
    visibly supports and is committed to your
    information security program.

  • Make sure that your approach to information
    security is consistent with your organization’s corporate culture.

  • Make sure that your information security policy, objectives, and activities reflect your organization’s business objectives.

  • Make sure that your organization understands its own unique information security needs and requirements.

  • Make sure that your organization understands why risk management is central to your program and why a risk assessment should be performed.

  • Make sure that your information security program
    is explained to all managers and employees and
    that they understand why it’s important.

  • Make sure that you distribute information that
    explains your information security policy and
    standards to all employees and contractors.

  • Make sure that you provide appropriate
    security training and education.

  • Make sure that you encourage people to provide feedback and to suggest ways of improving the performance of your information security program.

  • Make sure that you develop a balanced and comprehensive way of measuring and monitoring
    the performance of your information security program.

Praxiom Research Group Limited

ISO IEC 27002 2013 PAGES

ISO IEC 27002 2013 Introduction

Overview of ISO IEC 27002 2013 Standard

Information Security Control Objectives

Information Security Audit Questionnaires

How to Use the ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 versus ISO IEC 27002 2005

ISO IEC 27002 2013 Translated into Plain English

Plain English ISO IEC 27002 2013 Security Checklist

How to Order

Our Products

Our Prices

Our Guarantee

Home Page

Table of Contents

Our License

Our Customers

Telephone: 780-461-4514 - Email

Updated on April 23, 2014. On the Web since May 25, 1997.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2004 - 2014 by Praxiom Research Group Limited. All Rights Reserved.