The ISO27000 Newsletter - News & Views on the ISO/IEC Security Standard

ISO17799 News - Issue 2

Welcome to the second edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to 17799 and related information security issues. The newsletter comprises a combination of inclusive articles and the identification of useful and topical sources on the web.

This edition covers:


HOW THE STANDARD FITS TOGETHER

The standard effectively comprises of two parts:

a) Part 1: ISO/IEC 17799:2000 - this is the set of security controls... the measures and safeguards for potential implementation. It is the main body of the standard itself.

b) Part 2: BS7799-2:1999 - this a standard 'specification' for an Information Security Management System (an ISMS). It is the means managers use to measure, monitor and control their security from a top down perspective. It essentially explains how to apply ISO17799 and it is this part that can currently be certified against.

Part 2 defines a six part process, broadly as follows:

Define a security policy
Define the scope of the ISMS
Undertake a risk assessment
Manage the risk
Select control objectives and controls to be implemented
Prepare a statement of applicability (SoA).

This perhaps indicates to a degree why web sites and this newsletter focus so heavily upon risk analysis and security policies - they are absolutely central to ISO 17799.

RISK ANALYSIS: You do not have to implement every control covered by ISO17799 - only those that are applicable and appropriate.. the latter largely being determined via risk analysis.

SECURITY POLICIES: Policies are of course 'the bottom line' - the rules which define the baseline requirements for your organization. It is therefore critical that they are top quality (see www.information-security-policies-and-standards.com for more information on security policies).





 

 





Subscribe

Free subscription is via our online form

 

 

Contact Us

© Copyright 2005/2006. RS