ISO/IEC 17799

Information Technology/Security Techniques/Code of Practice for Information Security Management

ISO/IEC 17799 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management.

ISO/IEC 17799 contains best practices of control objectives and controls in the following areas of information security management:

• Security policy;
• Organization of information security;
• Asset management;
• Human resources security;
• Physical and environmental security;
• Communications and operations management;
• Access control;
• Information systems acquisition, development, and maintenance;
• Information security incident management;
• Business continuity management; and
• Compliance.

The control objectives in ISO 17799 are intended to be implemented to meet the requirements identified by a risk assessment.

ISO/IEC 17799 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.

NOTE: ISO/IEC 17799:2005 is expected to be renamed to ISO/IEC 27002 in the future.

This is only an overview/extract of the standard. Users should not rely on its accuracy, but should refer to the complete standard of the appropriate revision.

Click here for full list of Standards and Regulations.