Welcome to the tenth issue of ISO17799 News, designed to keep you abreast of developments and news with respect to ISO 17799 and information security. The information within the newsletter is totally free to subscribers and provides guidance on various practical issues, as well as commentary on recent Information Security incidents.
Included in this edition are the following topics:
YET MORE FREQUENTLY ASKED QUESTIONS
1) Are there any forums or message boards on which I can discuss ISO 17799 topics or issues with other people?
Yes. The two biggest are:
- The ISO 17799 Community: www.17799.com
- The Yahoo ISO 17799 Group: http://groups.yahoo.com/group/iso17799security/
2) What is the PDCA Model?
This is the "Plan-Do-Check-Act" model and is used in BS 7799-2. It is intended to be used as the basis for creating, implementing, monitoring and maintaining an information security management system. This is more fully documented at 'Induction to BS7799' (www.induction.to/bs7799/).
3) Where can I find a consultant to help?
A directory of ISO17799 and BS7799 Consultants can be found at: iso17799world.com
4) What is accreditation and certification?
An accreditation body is an organization (usually a national one) which grants third parties the authority to issue 'certificates' (to certify) against standards. This third party is the certification company, which actually certifies against the standard. Examples include: BSI, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH.
5) How should security REQUIREMENTS be established? ISO 17799 identifies three main sources:
- "The first source is derived from assessing risks to the organization. Through risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated"
- "The second source is the legal, statutory
, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy" - "The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations".