What is ISO 17799?

September 5, 2009 by  

ISO 17799 is a set of standards created by the International Organization for Standardization.  ISO is responsible for creating numerous standards, including the OSI model. ISO 17799 covers a broad range of information security practices and acts as a framework for an organization to establish and implement a security management program. The ten security domains that make up ISO 17799:2000 include:

  • Security policy: This domain provides input into security management from a top-down perspective and the creation of an effective security management program.
  • Organizational security: This domain focuses on both internal and external management of operational security. It isn’t limited to technical controls, but also relationship and reputation issues.
  • Asset classification and control: This domain focuses on organizations, prioritizing, and classifying information based on sensitivity and need for confidentiality and availability. It also covers the day-to-day use and storage of such information.
  • Personnel security: This domain focuses on procedures for hiring, firing, and training of employees. Employees must be screened prior to employment and consent forms need to be addressed and signed.
  • Physical and environmental security: This domain covers the protection of assets from damage to its physical infrastructure and providing access controls via cipher locks or other mechanisms. It also covers HVAC and power controls.
  • Communications and operations management: This domain covers techniques for ensuring secure communications and providing data integrity through the use of firewalls, AV protection, encryption, and backups.
  • Access control: This domain covers access and monitoring controls through the user of discretionary, mandatory, and role based controls. This constitutes authentication and identity management.
  • System development and maintenance: This domain covers change management of systems with the advancement of technology to ensure compatibility and overall quality assurance.
  • Business continuity management: This domain covers strategies for protecting a business from massive outages and prepares a company for unforeseen circumstances such as natural disasters and impromptu recovery missions.
  • Compliance: This domain covers law and legislation from a state, local, and federal standpoint. It goes into protection of trade secrets and intellectual property.

Recently, the standard was revamped and is now known as ISO 270002:2005. In addition to the new version and updates, the domain names are now:

  • security policy;
  • organization of information security;
  • asset management;
  • human resources security;
  • physical and environmental security;
  • communications and operations management;
  • access control;
  • information systems acquisition, development and maintenance;
  • information security incident management;
  • business continuity management;
  • compliance.

Organizations  should create policies for each domain (unique to their mission and objectives).


Feel free to leave a comment...
and oh, if you want a pic to show with your comment, go get a gravatar!


Warning: Unknown: open(/home/content/30/5076530/tmp/sess_jlhupvmcp6ke9kgo57mo0krjv6, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0