Supporting Material: ISO/IEC 17799

What is ISO/IEC 17799?

ISO/IEC 17799 is a widely recognized Code of Practice for Information Security Management. ISO/IEC 17799 began as British Standard 7799 and was first published in February 1996. When republished in December 2000, it evolved into the International Organization for Standardization 17799 (ISO/IEC 17799). ISO/IEC 17799 was updated in 2005 as ISO/IES 17799:2005(E) with some revisions in areas covered. It documents 133 specific controls, categorized into 39 control objectives, listed in 11 distinct chapters.

Domain	Specifications	Best Practices	Process Model	Maturity Model
Information security management	yes	no	no	no

ISO/IEC 17799 is comprehensive in its coverage of security issues. It contains a significant number of control requirements. Compliance with ISO/IEC 17799 is consequently a substantial undertaking, even for the most security conscious organizations.

It is recommended that implementation of ISO/IEC 17799 is approached in a step-by-step manner. The best starting point is usually an assessment of the current security posture, followed by an identification of the changes needed for compliance. From here, planning and implementing must be rigidly undertaken.

This section is intended to help you understand the 11 different sections that have to be considered when applying an overall enterprise security approach.

For more information about ISO/IEC 17799, see the ISO web site at http://www.iso.org/.

A.1. Security Policy

ISO/IEC 17799-2005 Objectives

PRM-IT Process(es)

Specific Activity or Activities

Provide security policies in accordance with laws, regulations, and the business

Security Management

Establish Security Management Framework

Evaluate Security Management Performance

A.2. Organization of Information Security

ISO/IEC 17799-2005 Objectives	PRM-IT Process(es)	Specific Activity or Activities
Manage internal information security	Security Management
Manage security for information accessed by external parties	Security Management

A.3. Asset Management

ISO/IEC 17799-2005 Objectives

PRM-IT Process(es)

Specific Activity or Activities

Protect organizational assets

Asset Management

Facilities Management

Security Management

Ensure appropriate level of information protection

Security Management

A.4. Human Resources Security

ISO/IEC 17799-2005 Objectives

PRM-IT Process(es)

Specific Activity or Activities

Ensure understanding by all internal and external parties concerning responsibilities to reduce theft, fraud, and misuse

Workforce Management

Security Management

Administer Human Resources

Establish Security Management Framework

Ensure understanding by all internal and external parties concerning security threats and concerns

Workforce Management

Security Management

Administer Human Resources

Establish Security Management Framework

Ensure an orderly process for exiting the organization or changing employment

Workforce Management

Security Management

Administer Human Resources

Establish Security Management Framework

A.5. Physical and Environmental Security

ISO/IEC 17799-2005 Objectives

PRM-IT Process(es)

Specific Activity or Activities

Prevent damage and unauthorized physical access to premises and information

Facilities Management

Prevent loss, damage, theft, or compromise of equipment

Facilities Management

Asset Management

A.6. Communications and Operations Management

ISO/IEC 17799-2005 Objectives	PRM-IT Process(es)	Specific Activity or Activities
Ensure secure operation of facilities through operational procedures and responsibilities	Security Management
Provide appropriate level of security according to service delivery agreements	Security Management Supplier Management
Minimize risk of system failure during system planning and acceptance	Availability Management
Provide protection against malicious and mobile code	Security Management
Provide appropriate backups to maintain information integrity and availability	Data Management	Backup and Restore Data
Protect information within networks and related infrastructure	Security Management
Provide secure handling of media to prevent unauthorized information access	Security Management Data Management
Maintain secure information exchange with external parties	Security Management
Ensure secure use of electronic commerce services	Security Management
Monitor and detect unauthorized information processing activities	Security Management

A.7. Access Control

ISO/IEC 17799-2005 Objectives	PRM-IT Process(es)	Specific Activity or Activities
Control information access	Security Management
Prevent unauthorized user access to information	Security Management
Prevent compromise or theft of information	Security Management
Prevent unauthorized network access	Security Management
Prevent unauthorized operating system access	Security Management
Prevent unauthorized application system access	Security Management
Ensure information security for mobile users	Security Management

A.8. Information Systems Acquisition, Development and Maintenance

ISO/IEC 17799-2005 Objectives	PRM-IT Process(es)	Specific Activity or Activities
Integrate security with information systems	Architecture Management Solution Analysis and Design Security Management
Prevent misuse of information in applications	Security Management Solution Acceptance Solution Analysis and Design Solution Development and Integration Solution Requirements Solution Test
Use cryptography to protect information confidentiality, authenticity, and integrity	Security Management Solution Acceptance Solution Analysis and Design Solution Development and Integration Solution Requirements Solution Test
Ensure security of system files	Security Management
Maintain security of application systems	Security Management
Reduce exploitation of published technical vulnerabilities	Security Management