The ISO27000 Newsletter - News & Views on the ISO/IEC Security Standard

ISO17799 News - Issue 2

Welcome to the second edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to 17799 and related information security issues. The newsletter comprises a combination of inclusive articles and the identification of useful and topical sources on the web.

This edition covers:


The standard effectively comprises of two parts:

a) Part 1: ISO/IEC 17799:2000 - this is the set of security controls... the measures and safeguards for potential implementation. It is the main body of the standard itself.

b) Part 2: BS7799-2:1999 - this a standard 'specification' for an Information Security Management System (an ISMS). It is the means managers use to measure, monitor and control their security from a top down perspective. It essentially explains how to apply ISO17799 and it is this part that can currently be certified against.

Part 2 defines a six part process, broadly as follows:

Define a security policy
Define the scope of the ISMS
Undertake a risk assessment
Manage the risk
Select control objectives and controls to be implemented
Prepare a statement of applicability (SoA).

This perhaps indicates to a degree why web sites and this newsletter focus so heavily upon risk analysis and security policies - they are absolutely central to ISO 17799.

RISK ANALYSIS: You do not have to implement every control covered by ISO17799 - only those that are applicable and appropriate.. the latter largely being determined via risk analysis.

SECURITY POLICIES: Policies are of course 'the bottom line' - the rules which define the baseline requirements for your organization. It is therefore critical that they are top quality (see for more information on security policies).




Free subscription is via our online form



Contact Us

© Copyright 2005/2006. RS