ISO 17799 947



  • I want to know more about this: What it is, what is the process, how should one approach it, etc.
    Anyone have any info. or experience about this and wouldn’t mind sharing, I would appreciate it very much.
    Thank you,
    SG



  • ISO 17799 is a Code of practice for information security management. It is basically a framework for putting your own guidelines and regulations otgether. It also contains a lot of suggestions for security controls.
    I have been working with it to create our own security documents for the last to years and find it wery useful. The process i guess is depending on what you have as a starting point in your organization…
    Anders



  • BS 7799/ISO 17799 has been published in two parts:
    ISO/IEC17799 Part 1: Code of Pratice for Information security Management
    This is basically guidelines and recommendations to ensure security of Information. It has 10 domains of application.It has in all 36 Security objectives and 127 security controls. It is revised sometimes in June-July this year and i guess it has now 11 domains.
    BS7799 part 2: Information security Management - specification with Guidance for use.
    It again has the same 10 domains and 127 controls. The organization that bases its ISMS (Information Security Managament Systems) on BS7799 provisions, can obtain a certification.
    The organization which obtain this certifcation are considered as ISO17799 compliant and BS7799 certified.
    History of developement:
    BSI ( British Standards Institute) developed BS7799 sometimes in beginning of 1990s.
    In 1995 it was adopted officially
    1999 - Major Revision - after this ISO started taking interest in it.
    Dec 2000 - ISO took over the first part and rebaptised it as ISO17799.
    Sept 2002: revision of second part of BS799 was carried to make it consistent with other Management standards such as ISO9001:2000 and ISO14001:1996 as well as principles of OECD ( organization for Economic cooperation and Development.
    In nutshell ISO17799 is something u can base ur security policy around. The guidelines are good and comprehensive and cover all the required areas of Information security. But its a technical standard and doesnt lead to a certification.
    Hope this helps.
    CH



  • Ok i got some more news…
    The old standard has ( version 2000) has been withdrawn and new One ( June 2005) is in place now which covers more area like Patch Management, Outsourcing etc.
    As written previously the domains are 11 now. It has reshaped and extended more areas too.
    Thanks
    CH


Log in to reply