International Organization for Standardization Security Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to: navigation, search

ISO 17799

The International Organization for Standardization Security Standard (ISO 17799) is an internationally recognized information Security Management standard consisting of security clauses, controls, and objectives comprising best practices in information security. This section highlights the templates from the Best Practice Policy Framework library (for example, policy and standards controls)that are needed to create, implement, and maintain an Information Security Program that complies with ISO 17799.

ISO 17799 Policy Sample Library

ISO 17799 defines Security Policy objectives to provide management direction and support for information security. This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Security Policy objectives.


ISO 17799 defines Organizational Security objectives to manage information security within the organization; maintain the security of organizational information processing facilities and information to third parties; and maintain the security of information when the responsibility for information processing has been outsourced to another organization. This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Organizational Security objectives by clearly establishing Information Security roles and associated responsibilities.


ISO 17799 defines Asset Classification and Control objectives to maintain appropriate protection of organizational assets and ensure that information assets receive an appropriate level of protection. This section provides templates for Information Security standards that are required to comply with ISO Asset Classification and Control objectives and support the objectives established in the Asset Identification and Classification Policy.


ISO 17799 defines Access Control objectives to control access to information; prevent unauthorized access to information systems; ensure the protection of networked services; prevent unauthorized computer access; detect unauthorized activities; and ensure information security when using mobile computing and tele-network facilities. This section provides templates for Information Security standards that are required to comply with ISO Access Control objectives and support the objectives established in the Asset Protection Policy, Acceptable Use Policy, and Threat Assessment and Monitoring Policy.


ISO 17799 defines Business Continuity Management objectives to counteract interruptions to business and protect critical business processes from the effects of major failures or disasters. This section provides templates for Information Security standards that are required to comply with ISO Business Continuity Management objectives and support the objectives established in the Asset Protection Policy, and Threat Assessment and Monitoring Policy.


ISO 17799 defines Physical and Environmental Security objectives to prevent unauthorized access, damage and interference to business premises and information; prevent loss, damage or compromise of assets and interruption to business activities; and prevent compromise or theft of information and information processing facilities. This section provides templates for Information Security standards that are required to comply with ISO Physical and Environmental Security objectives and support the objectives established in the Asset Protection Policy.


ISO 17799 defines Personnel Security objectives to reduce risks of human error, theft, fraud, or misuse of facilities; ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; and minimize the damage from security incidents and malfunctions and learn from such incidents. This section provides templates for Information Security standards that are required to comply with ISO Personnel Security objectives and support the objectives established in the Acceptable Use Policy, Security Awareness Policy, and Threat Assessment and Monitoring Policy.


ISO 17799 defines Systems Development and Maintenance objectives to ensure security is built into operational systems; prevent loss. modification or misuse of user data; protect the confidentiality, authenticity and integrity of information; ensure IT projects and support activities are conducted in a secure manner; and maintain the security of application system software and data. This section provides templates for Information Security standards that are required to comply with ISO Systems Development and Maintenance objectives and support the objectives established in the Asset Protection Policy and Asset Management Policy.


ISO 17799 defines Communications and Operations Management objectives to ensure the correct and secure operation of information processing facilities; minimize the risk of systems failures; protect the integrity of software and information; maintain the integrity and availability of information processing and communication; ensure the safeguarding of information in networks and the protection of the supporting infrastructure; prevent damage to assets and interruptions to business activities; and prevent loss, modification or misuse of information exchanged between organizations. This section provides templates for Information Security standards that are required to comply with ISO Communications and Operations Management objectives and support the objectives established in the Asset Protection Policy, Asset Management Policy, Vulnerability Assessment and Management Policy, and Threat Assessment and Monitoring Policy.


ISO 17799 defines Compliance objectives to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements; ensure compliance of systems with organizational security policies and standards; and maximize the effectiveness of and to minimize interference to/from the system audit process. This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Compliance objectives, as well as guidance for complying with regulations such as GLBA and HIPAA.


--Mdpeters 09:20, 14 July 2006 (EDT)