ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.

1. Management Best Practice
Based on ISO/IEC 17799
By René Saint-Germain
Presented By : Parves Kamal

2. Management Best Practice Based on ISO/IEC 17799
Agenda:
 Get To know The Author
 What is ISO 17799?
 Background on ISO 17799
 The Ten Domains of ISO/IEC 17799
 Implementation Considerations
 Certification Process
 Benefits of Implementing the ISO/IEC 17799/BS 7799 Framework
 Survey
 How much It Cost
 References
 Questions?
2

3. Author’s Background
Article was published In July 2005
At : Information Management Journal;Jul/Aug2005, Vol. 39 Issue 4,
p60
René Saint-Germain has expertise in the implementation of
governance and IT compliance frameworks (ISO 9001, ISO 20000,
ISO 27001, ISO 27002, ISO 27005, ISO 22301, SOX, ITIL, COBIT).
As member of the International Committee for the development of
security standards (CS27), he had participated in the development of
ISO 27001 and others ISO 27000 family standards.
Current Position: Training and Audit Manager at Altirian
Scheme Committee Member at PECB
Lead Auditor at Bureau Veritas
3

4. What is ISO 17799
ISO 17799 is an internationally recognized Information Security
Management Standard, first published by the International
Organization for Standardization, or ISO (www.iso.ch), in December
2000.
ISO 17799 is high level, broad in scope, and conceptual in nature.
ISO 17799 is not:
A technical standard
Product or technology driven
An equipment evaluation methodology such as the Common
Criteria/ISO 15408
4

5. Background on ISO 17799
ISO 17799 is a direct descendant of the British Standard Institute (BSI)
Information Security Management standard BS 7799.
British Standard (BS) 7799 from the British Standards Institution (BSI)
was first published in 1995 to provide guidance and best practices in
information security
The original standard ("Part 1") was revised and released in 1999.
Adopted by ISO as ISO 17799 in 2000, In 2005 BS17799 part 1 was
revised and in 2007 incorporated as ISO/IEC 27002
After wide consultation, it was determined that there was a need for a
"specification" that could be audited against or used as a baseline. Thus,
in 1998 a second part ("Part 2") was released, which was a specification
for an Information Security Management System. BS 7799 Part 2 was
adopted by ISO as ISO/IEC 27001 in November 2005
5

6. The Ten Domains of ISO/IEC 17799
6
The Ten Domains of ISO/IEC 17799

7. The Ten Domains of ISO/IEC 17799
Security Policy
Security Policy control addresses management support, commitment, and
direction in accomplishing information security goals, including:
Information Security Policy document – a set of implementation-
independent, conceptual information security policy statements governing
the security goals of the organization.
Ownership and review – Ongoing management commitment to
information security is established by assigning ownership and review
schedules for the Information Security Policy document.
7

8. The Ten Domains of ISO/IEC 17799
Organizational Security
Organizational Security control addresses the need for a management
framework that creates, sustains, and manages the security infrastructure,
including:
 Information System Security Officer (ISSO) – acts as a central point of contact for
information security issues, direction, and decisions.
 Information Security responsibilities – individual information security
responsibilities are unambiguously allocated and detailed within job
descriptions.
 Authorization processes – ensures that security considerations are evaluated and
approvals obtained for new and modified information processing systems.
 Third-party access – mechanisms to govern third-party interaction within the
organization based on business requirements.
 Outsourcing – organizational outsourcing arrangements should have clear
contractual security requirements.
8

9. The Ten Domains of ISO/IEC 17799
Asset Classification and Control
Asset Classification and Control addresses the ability of the security
infrastructure to protect organizational assets, including:
 Accountability and inventory – Mechanisms to maintain an accurate
inventory of assets, and establish ownership and stewardship of all
assets.
 Classification – Mechanisms to classify assets based on business
impact.
 Labeling – Labeling standards to indicate whether it is sensitive or
critical.
 Handling – Handling standards; which is appropriate for copy, store,
transmit or destruction of the information asset based on asset
classification.
9

10. The Ten Domains of ISO/IEC 17799
Personnel Security
Personnel Security control addresses an organization’s ability to mitigate risk
inherent in human interactions, including:
 Personnel screening –Ascertain the qualification and suitability of all
personnel with access to organizational assets. This framework may be
based on job descriptions and/or asset classification.
 Security responsibilities – Personnel should be clearly informed of their
information security responsibilities, including codes of conduct and non-
disclosure agreements.
 Terms and conditions of employment – Personnel should be clearly informed
of their information security responsibilities as a condition of employment.
 Training – A mandatory information security awareness training program is
conducted for all employees, including new hires and established employees.
 Recourse – A formal process to deal with violation of information security
policies.
10

11. The Ten Domains of ISO/IEC 17799
Physical and Environmental Security
Physical and Environmental Security control addresses risk inherent to
organizational premises, including:
 Location – Organizational premises should be analyzed for environmental
hazards.
 Physical security perimeter – The premises security perimeter should be
clearly defined and physically sound. A given premises may have multiple
zones based on classification level or other organizational requirements.
 Access control – Breaches in the physical security perimeter should have
appropriate entry/exit controls commensurate with their classification level.
 Equipment – Equipment should be sited within the premises to ensure physical
and environmental integrity and availability.
 Asset transfer – Mechanisms to track entry and exit of assets through the
security perimeter.
11

12. The Ten Domains of ISO/IEC 17799
Communications and Operations Management
Communication and Operations Management control addresses an
organization’s ability to ensure correct and secure operation of its assets,
including:
 Operational procedures – Comprehensive set of procedures, in support of
organizational standards and policies.
 Change control – Process to manage change and configuration control,
including change management of the Information Security Management
System.
 Incident management – Mechanism to ensure timely and effective
response to any security incidents.
 Segregation of duties – Segregation and rotation of duties minimize the
potential for collusion and uncontrolled exposure.
 Capacity planning – Mechanism to monitor and project organizational
capacity to ensure uninterrupted availability.
12

13. The Ten Domains of ISO/IEC 17799
 General – Policies and standards, such as utilization of shredding equipment,
secure storage, and “cleandesk” principles, should exist to govern operational
security within the workspace.
 System acceptance – Methodology to evaluate system changes to ensure
continued confidentiality, integrity, and availability.
 Malicious code - Controls to mitigate risk from introduction of malicious
code.
 Housekeeping – Policies, standards, guidelines, and procedures to address
routine housekeeping activities such as backup schedules and logging.
 Network management - Controls to govern the secure operation of the
networking infrastructure.
 Media handling – Controls to govern secure handling and disposal of
information storage media and documentation.
13

14. The Ten Domains of ISO/IEC 17799
Access Control
Access Control addresses an organization’s ability to control access to assets
based on business and security requirements, including
User management – mechanisms to:
 Register and deregister users
 Control and review access and privileges
 Manage passwords
Network access control – policy on usage of network services,
including mechanisms (when appropriate) to:
 Authenticate nodes
 Authenticate external users
 Define routing
 Control network device security
 Maintain the security of network services
14

15. The Ten Domains of ISO/IEC 17799
Host access control – Mechanisms (when appropriate) to:
 Automatically identify terminals
 Securely log-on
 Authenticate users
 Manage passwords
 Secure system utilities
 Furnish user duress capability, such as “panic buttons”
 Enable terminal, user, or connection timeouts
 Application access control – Limits access to applications based
on user or application authorization levels.
 Access monitoring – Mechanisms to monitor system access and
system use to detect unauthorized activities.
 Mobile computing – Policies and standards to address asset
protection, secure access, and user responsibilities.
15

16. The Ten Domains of ISO/IEC 17799
System Development and Maintenance
Security should ideally be built at the time of inception of a system. Hence
security requirements should be identified and agreed prior to the development of
information systems.
 System security requirements – Incorporates information security
considerations in the specifications of any system development or
procurement.
 Application security requirements – Incorporates information security
considerations in the specification of any application development or
procurement.
 Cryptography – Policies, standards, and procedures governing the usage and
maintenance of cryptographic controls.
 System Integrity – Mechanisms to control access to, and verify integrity of,
operational software and data, including a process to track, evaluate, and
incorporate asset upgrades and patches.
 Development security – Integrates change control and technical reviews into
development process.
16

17. The Ten Domains of ISO/IEC 17799
Business Continuity Management
Business Continuity Management control addresses an organization’s ability to
counteract interruptions to normal operations, including:
 Business continuity planning – Business continuity strategy based
on a business impact analysis.
 Business continuity testing – Testing and documentation of business
continuity strategy.
 Business continuity maintenance – Identifies ownership of
business continuity strategy as well as ongoing re-assessment and
maintenance.
17

18. The Ten Domains of ISO/IEC 17799
Compliance
Compliance control addresses an organization’s ability to remain in compliance
with regulatory, statutory, contractual, and security requirements, including:
Legal requirements – awareness of:
 software copyright
 Intellectual property rights
 Safeguarding of organizational records
 Data protection and privacy of personal Information.
 Prevention of misuse
 Regulation of cryptography
 Collection of evidence
18

19. Implementation Considerations
19
Uses of the ISO/IEC 17799 Standard

20. Certification Process
 Organizations that base information security management
systems (ISMS) on BS 7799 specifications can apply to
become certified.
 What is an ISMS? Framework to manage the security risks
within an organization
 An organization that obtains certification is said to be ISO/IEC
17799 compliant and BS 7799 certified.
 To guide organizations through this process, BS 7799 uses the
Plan-Do-Check-Act (PDCA) model
 Once an organization has developed, implemented, and
documented its ISMS, an accredited certification body
carries out a third-party audit
20

21. Certification Process21
PDCA PHASE

22. Benefits of Implementing the
ISO/IEC 17799/BS 7799 Framework
 BS 7799 certification serves as a public statement of an organization’s ability
to manage information security. It demonstrates to partners and clients that the
organization has implemented adequate information security and business
continuity controls.
 It also demonstrates the organization’s commitment to ensuring that its
information security management system and security policies continue to
evolve and adapt to changing risk exposures
 Certification is a mark of distinction that sets organizations apart from their
competition and provides partners, shareholders, and clients with greater
confidence.
 ISO/IEC 17799 compliant organizations are exposed, these organizations will
spend less money recovering from security incidents, which may also translate
into lower insurance premiums
22

23. Survey
23

24. Survey
24

25. Survey25

26. Survey
26

27. Survey
27

28. How much It Cost
 A copy of 17799 is available through the ISO Web site
(www.iso.org) roughly $150, But that $150 investment is only a
fraction of the cost of security assessments, penetration testing,
auditors and consultants, which can run into the hundreds of
thousands--if not millions--of dollars. This is why organizations
with a solid working knowledge of their security threats have a
better shot at using the standard.
28

29. References
 IT Governance: Data Security & BS 7799/ISO 17799 by Alan Calder and
Steve Watkins 2002
 ISO/IEC 17799:2000(E) Code of Practice for Information Security
Management Geneva: ISO 2000 www.iso.ch
 BS 7799-2:2002 Information Security Management Systems –
Specification with Guidance for Use. London: BSi, September 2002
www.bsi-global.com
 http://www.bsmreview.com/security_best_practice_survey.shtml
 http://www.gta.ufrj.br/ensino/cpe728/03_ins_info_security_iso_17799_110
1.pdf
 http://www.gta.ufrj.br/ensino/cpe728/03_ins_info_security_iso_17799_110
1.pdf
 http://www.openmpe.com/cslproceed/HPW04CD/papers/3353.pdf
29

30. 30

31. 31