ISO/IEC 17799

Definition

ISO/IEC 17799, now known as ISO/IEC 27002, is an international standard providing guidelines for best practices in information security management. It establishes a comprehensive framework covering various aspects of information security, including risk management, access control, and physical security. The standard is designed to help organizations develop, implement, and maintain effective information security policies to protect their data and prevent security breaches.

Phonetic

I-s-o-slash-I-E-C 1-7-7-9-9:India – Sierra – Oscar – Slash – India – Echo – Charlie – One Seven – Seven – Nine – Nine

Key Takeaways

1. ISO/IEC 17799 is an internationally recognized standard for Information Security Management Systems (ISMS), which provides a framework and guidelines for organizations to both implement and maintain effective information security practices.
2. The standard has 11 security domains, covering aspects such as risk assessment, access control, physical security, and incident management, among others. These domains provide comprehensive guidance to help organizations establish robust information security measures.
3. ISO/IEC 17799 has evolved over the years, and its latest version is ISO/IEC 27002, which forms a part of the ISO/IEC 27000 family of information security management standards. This ensures that organizations using the latest version are aligned with current best practices in information security.

Importance

ISO/IEC 17799, now known as ISO/IEC 27002, is a vital international standard for information security management.

It’s essential because it provides organizations with a comprehensive framework and guidelines for ensuring the confidentiality, integrity, and availability of their information assets.

By implementing these best practices for risk management, access control, incident response, and other critical aspects of information security, organizations can safeguard their sensitive data, protect their reputation, and comply with relevant laws and regulations.

Adhering to this standard helps instill confidence in customers, stakeholders, and partners about an organization’s commitment to maintaining robust information security controls.

Explanation

ISO/IEC 17799, now known as ISO/IEC 27002, is an internationally recognized standard for information security management that aims to help organizations establish and maintain an effective security framework. The purpose of this standard is to provide guidance for implementing a robust information security management system (ISMS) that is not only capable of protecting sensitive data but also aids in mitigating various cyber threats.

ISO/IEC 27002 focuses on a set of best practices that cover multiple aspects of information security, including risk management, access control, cryptography, and incident response. The standard helps organizations in creating a secure environment by addressing the policies, processes, and controls necessary for safeguarding their vital information assets.

In today’s rapidly evolving digital landscape, organizations of all sizes and across industries are faced with the growing challenge of safeguarding their sensitive data, intellectual property, and customer information. ISO/IEC 27002 serves as a valuable tool to help address this challenge by establishing a comprehensive framework for managing and protecting information assets.

Organizations that adopt and adhere to this standard demonstrate their commitment to information security, not only to their customers and stakeholders but also to the wider global business community. Compliance with ISO/IEC 27002 can foster trust between organizations and contribute to the overall development of a more secure digital ecosystem.

Examples of ISO/IEC 17799

ISO/IEC 17799, now known as ISO/IEC 27002, is an international standard that provides guidelines for best practices in information security management. Here are three real-world examples where organizations have implemented this standard to improve their security posture:

Banking and Finance: A major global bank adopted the ISO/IEC 17799 standard to assess and strengthen its information security controls. The bank’s information security team conducted a gap analysis and identified areas where improvements were necessary. They then developed and implemented new policies and procedures based on the standard’s recommendations. As a result, the bank was able to reduce its risk exposure, protect sensitive customer data, and comply with financial industry regulations.

Healthcare: A large hospital system used the ISO/IEC 17799 framework for implementing a comprehensive information security management system (ISMS). The hospital conducted a risk assessment to identify its security vulnerabilities and developed security policies, procedures, and controls based on the standard’s guidelines. This helped the hospital to protect sensitive patient information and comply with regulatory requirements such as HIPAA.

Government: A national government agency responsible for maintaining the security of sensitive data adopted the ISO/IEC 17799 standard to guide its information security practices. The agency conducted a risk assessment and established security controls based on the standard’s recommendations. It also trained its staff on the new policies and procedures, which helped the agency better secure its critical information infrastructure and enhance its overall information security posture.

FAQs: ISO/IEC 17799

1. What is ISO/IEC 17799?

ISO/IEC 17799 is an international standard for information security management systems (ISMS). It provides a comprehensive set of security guidelines and best practices to help organizations establish an effective security program and protect their sensitive data and assets.

2. Why is ISO/IEC 17799 important?

Adopting ISO/IEC 17799 helps organizations identify, manage, and reduce risks to their information assets. This standard is essential for organizations to ensure the confidentiality, integrity, and availability of information. Compliance with ISO/IEC 17799 can also help to build trust with customers, partners, and investors.

3. How does ISO/IEC 17799 relate to ISO/IEC 27001?

ISO/IEC 17799 was published in 2000 and later renumbered as ISO/IEC 27002 in 2007. It was initially developed as a security guideline, while ISO/IEC 27001 was the certification standard for ISMS. Today, ISO/IEC 27002 provides a set of security controls to support the implementation of ISO/IEC 27001-certified ISMS.

4. What are the main sections of ISO/IEC 17799/27002?

ISO/IEC 27002 consists of 14 security domains, which cover various aspects of information security, such as security policies, organization, asset management, human resource security, physical and environmental security, technical security, operations management, access control, and compliance with laws and regulations.

5. How can an organization become ISO/IEC 17799 or ISO/IEC 27001 compliant?

An organization can work with an accredited certification body to undergo an assessment against the standard’s security requirements. They must implement an effective ISMS that addresses the identified risks, demonstrates active management, and continuously improves its security. Once the organization has successfully passed the certification audit, it will obtain an ISO/IEC 27001 certificate, demonstrating its commitment to information security.

Related Technology Terms

• Information Security Management
• ISO/IEC 27002
• Risk Assessment
• Security Controls
• Information Security Policies

Sources for More Information

• ISO – International Organization for Standardization: https://www.iso.org/standard/39612.html
• IEC – International Electrotechnical Commission: https://www.iec.ch/infoserv/search/details?id_document.ref=RQ-000000&type_document_ref=RQ
• NIST – National Institute of Standards and Technology: https://csrc.nist.gov/publications/detail/sp/800-100/final
• ISACA – Information Systems Audit and Control Association: https://www.isaca.org/resources/isaca-journal/issues/2005/volume-4/the-relationship-between-iso-17799-and-itil-stage3