ISO 17799 2000
ISO 17799 2000 is OBSOLETE. Please see ISO IEC 27002 2013.
ISO AND IEC
ISO is the International Organization for Standardization. It was set up in 1947 and is located in Geneva, Switzerland. Its purpose is to develop standards that support and facilitate international trade. IEC is the International Electrotechnical Commission. It was set up in 1906 and is also located in Geneva, Switzerland. Its purpose is to develop standards for all types of electrotechnologies. Both ISO and IEC are supported by national member bodies. These member bodies participate in the standards development process through technical committees.
The ISO/IEC 17799 standard started out as a British standard called BS 7799. The BS 7799 standard was developed by the British Standards Institution. It became the ISO/IEC 17799 standard when a joint ISO/IEC technical committee adopted the standard for international use. This joint committee is called ISO/IEC JTC 1 and is responsible for all information technology standards.
Once this ISO/IEC information technology committee adopted the ISO/IEC 17799 standard, it was circulated to member organizations for approval. The ISO/IEC 17799 standard was formally approved during the year 2000, and finally published on December 1, 2000.
According to the standard’s official title page, ISO/IEC 17799 is made up of information security management practices. In the Scope section (part 1) of the standard, ISO/IEC says that the standard consists of recommendations. Therefore, we can say that the standard defines a set of recommended practices. Or more precisely, we can say that the standard defines a set of recommended information security management practices.
It’s important to think of the standard as a set of recommendations because ISO/IEC does not expect you to apply every piece of the standard. Instead, ISO/IEC suggests that you merely consider each recommendation as you try to improve your information security program.
You don’t have to accept every recommendation.
It all depends on your information security needs.
If a particular recommendation helps you to address
an important security need, then accept it.
The ISO/IEC 17799 2000 standard is all about
information. Since information
can exist in many forms, the ISO/IEC 17799 standard takes a very broad
approach. In the context of this standard, the term
includes at least the
From the standpoint of an organization, information has value and is therefore an asset. It therefore needs to be protected just like any other corporate asset. And because information must be protected, the infrastructure that supports information must also be protected. This infrastructure includes all the networks, systems, and functions that allow an organization to manage and control its information assets. The big question is how do you protect your information assets? That’s where the ISO/IEC 17799 standard comes in. It tries to tell you what you can do to protect your organization’s information assets.
But why should information assets need to be protected? Information needs to be protected because modern organizations are faced with a wide range of security threats. These threats include everything from human error and equipment failure, to theft, fraud, vandalism, sabotage, fire, flood, and even terrorism.
And what exactly is being protected? According to ISO/IEC information security is all about protecting the confidentiality, integrity, and availability of information. That’s what you have to protect. And because these terms are central to what the standard is all about, ISO/IEC has tried to define them (in part 2 of the standard). According to ISO/IEC 17799:
Your Security Risks
ISO/IEC suggests that you begin by identifying
your organization’s information security risks and needs.
Your Security Program
Once you’ve identified your information security risks and needs, you can begin to develop or improve your own information security program. Choose from the security practices recommended by this ISO/IEC 17799 standard. Select the practices that address the security risks that you face, the ones that meet your unique security needs, and ignore the ones that don’t.
ISO/IEC suggests that the following security practices are a good place to start, and therefore ought to be at the center of your information security program:
Your Success Factors
According to ISO/IEC, your organization’s information security program will be more successful if you accept the following suggestions:
|ISO IEC 27002 2013 PAGES|
PRAXIOM RESEARCH GROUP
Updated on April 23, 2014. On the Web since May 25, 1997.
Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you keep intact
all copyright notices, you are also welcome to print or make one copy of this
page for your own personal, noncommercial, home use. But, you are not
legally authorized to print or produce additional copies or to copy and paste
any of our material onto another web site or to republish it in any way.
Copyright © 2004 - 2014 by Praxiom Research Group Limited. All Rights Reserved.