Welcome to the second edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to 17799 and related information security issues. The newsletter comprises a combination of inclusive articles and the identification of useful and topical sources on the web.
This edition covers:
HOW THE STANDARD FITS TOGETHER
The standard effectively comprises of two parts:
a) Part 1: ISO/IEC 17799:2000 - this is the set of security controls... the measures and safeguards for potential implementation. It is the main body of the standard itself.
b) Part 2: BS7799-2:1999 - this a standard 'specification' for an Information Security Management System (an ISMS). It is the means managers use to measure, monitor and control their security from a top down perspective. It essentially explains how to apply ISO17799 and it is this part that can currently be certified against.
Part 2 defines a six part process, broadly as follows:
Define a security policy
Define the scope of the ISMS
Undertake a risk assessment
Manage the risk
Select control objectives and controls to be implemented
Prepare a statement of applicability (SoA).
This perhaps indicates to a degree why web sites and this newsletter focus so heavily upon risk analysis and security policies - they are absolutely central to ISO 17799.
RISK ANALYSIS: You do not have to implement every control covered by ISO17799 - only those that are applicable and appropriate.. the latter largely being determined via risk analysis.
SECURITY POLICIES: Policies are of course 'the bottom line' - the rules which define the baseline requirements for your organization. It is therefore critical that they are top quality (see www.information-security-policies-and-standards.com for more information on security policies).