ISO/IEC 17799 is entitled "Information technology - Security techniques - Code of
practice for information security management". An earlier version of the standard
was published in 2000, which basically was a word-for-word copy of BS 7799-1:1999
from BSI (the British Standards Institute).
ISO/IEC 17799:2005 makes best practices recommendations for information security
management to be used by those who start, implement or maintain those systems. According
to the standard "information security" involves ensuring that information can only
be accessed by those who are authorized, thus ensuring the accuracy and completeness
of data/processing methods, and making information available to authorized users
when they need it.
There are twelve main sections in the ISO/IEC 17799:2005 standard:
- Risk assessment and treatment
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business continuity management
The standard identifies and outlines information security control objectives for
each of these sections. It also provides guidance on how to implement each objective.
Companies are expected to do well-structured information security risk assessments
to determine their requirements before determining what the appropriate controls
to be applied are. Specific controls are not mandated for companies, because no
general purpose standard can possibly address all the controls that may be needed.