Confidentiality - ensuring that information is accessible only to those authorized to have access
Integrity - safeguarding the accuracy and completeness of information and processing methods
Availability - ensuring that authorized users have access to information and associated assets when required
As a Standard that is primarily conceptual, ISO 17799 is not: -
- A technical standard
- Product or technology driven
- Related to the five-part "Guidelines for the Management of IT Security," or GMITS/ISO 13335, which provides a conceptual framework for managing IT security
How to use ISO 17799
Information security is, for most companies, of the highest concern yet can often mean trade-offs in terms of balancing the requirements of business against the need for confidentiality, integrity, and availability of information. Traditionally, information security management has been based on loosely established best practices and guidelines with the primary goal of preventing, detecting, and containing security breaches, and restoring affected data to its previous state.
ISO 17799 provides companies with an establish framework from which to build a robust and operational Information Security Management System (ISMS). As a comprehensive information security process, the ISO 17799 standard provides companies with the following benefits: -
- The creation of a defined process to evaluate, implement, maintain, and manage information security
- A structured security methodology recognized internationally
- Tailored policies, procedures and guidelines
- Enterprise wide operational cost savings
- Demonstration of comprehensive "due diligence"
- Better management of information security risks on a planned and ongoing basis
- Increased access to new customers and business partners through an improved corporate image
- The ability to demonstrate a commitment to information security while at the same time being able evaluate the security status of business partners
An Information Security Management System (ISMS) provides the information necessary to understand the information security policies and practices in place at the company. The standard for compliance and registration is BS 7999-2:1999. A supplementary document ISO 17799 is a Code of Practice document that gives recommendations for information security management.
The ISMS standard provides specific requirements for security controls and documents to be implemented and maintained in the company in a daily operation basis. In addition, the ISMS must include appropriate monitoring, reporting and review processes to ensure its effective functioning and to identify and implement corrective measures in a timely manner.
An ISMS is a continuous progression of compliance, improvement and prevention. The following outlines the basic requirements to obtain compliance: -
- Define the policy
The ISMS Policy describes a company's shared vision, commitment and direction in information security. It gives a definition of information security, its objectives and scopes, the management intent, a brief explanation of the compliance requirements, information security responsibilities and the supporting documentations.
- Define the scope of the ISMS
Depending on the characteristics of the company such as its location, assets and technologies, it has to define the boundaries of its ISMS and set that as the scope.
- Undertake a risk assessment
Once the scope is defined, the company must undertake a risk assessment to evaluate the risk and threats to the information system and their respective impacts to the organization. When evaluating risks, the company should take into account at a minimum both the severity of the risks and their likelihood of happening.
- Manage the risk
Next the company has to determine how to manage the risks. Based on its information security policy and the degree of assurance required, the company has to prioritize the risks. Not all the high risks areas are required to be tackled. Backing up by proper decision process, the company can determine how it will deal with the prioritized risks.
- Select control objectives and controls to be implemented
A list of 10 control objectives and controls come with BS 7799-2:1999 with their respective recommended practices detailed in ISO 17799. The company has to select those controls that are appropriate to its operation for implementation. The selection should be justified.
- Prepare a statement of applicability
From the previous stage, the company has decided which control objectives and controls are selected for implementation. The reasons for its selection are required to be documented in the Statement of Applicability. Any exclusions and exceptions should be specified clearly in the Statement of Applicability too.