What ISO 17799 Provide and Address

Essential parts of ISO 17799 Information Technology—Code of Practice for Information Security Management were developed and published by the British Standards Institution, including BS 7799-1:1999 and parts of BS 7799-2:1999.

The ISO and IEC, which have established a joint technical committee, the ISO/IEC JTC 1, published the international standard.

ISO/IEC 17799:2000 provides information to responsible parties for implementing information security within an organisation. It can be seen as a basis for developing security standards and management practices within an organisation to improve reliability on information security in inter-organisational relationships.

The standard was published in 2000 in its first edition, which was updated in June 2005. It can be classified as current best practice in the subject area of information security management systems. The original BS 7799 was revised and reissued in September 2002.

The guiding principles are the initial point when implementing information security. They rely on either legal requirements or generally accepted best practices.
Measures based on legal requirements include:
• Protection and nondisclosure of personal data
• Protection of internal information
• Protection of intellectual property rights

Best practices mentioned are:
• Information security policy
• Assignment of responsibility for information security
• Problem escalation
• Business continuity management


When implementing a system for information security management several critical success factors are to be considered:
• The security policy, its objectives and activities reflect the business objectives.
• The implementation considers cultural aspects of the organisation.
• Open support from and engagement of senior management are required.
• Thorough knowledge of security requirements, risk assessment and risk management is required.
• Effective marketing of security targets all personnel, including members of management.
• The security policy and security measures are communicated to contracted third parties.
• Users are trained in an adequate manner.
• A comprehensive and balanced system for performance measurement is available, which supports continuous
improvement by giving feedback.

After presenting introductory information (scope, terms and definitions), a framework for the development of an organisation-specific information security management system (ISMS) is presented.

Such a system should consist of at least the following parts:
• Security policy
• Organisational security
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• Systems development and maintenance
• Business continuity management
• Compliance