A Summary of Controls in ISO17799-2005

After many years of aging without update, ISO17799, which was originally extracted from BS17799, has been revamped and updated significantly. While there are copyrights that are heavily enforced surrouinding the standards themselves (something that I greatly object to but have no power over), this summary provides an overview of the new standards as it exists just after official release.

For the reader interested in reviewing their own compliance to the standard, we suggest that you purchase our books on security metrics and security standards that include detailed checklists and metrics on ISO17799-2005 as well as other common standards.

Section 1

This section introduces the concepts of information security. It starts by defining information assets, describes that they have utility that needs to be protected, discusses establishing requirements, assessing risks, and selecting controls in a general sense, and talks about starting points looking at legislation, common practices, and critical success factors. Finally it indicates that ISO17799-2005 is a starting point and not the end-all for information security.

Section 2

Section 2 defines terms used throughout the rest of the standard. These include asset, control, guideline, informationprocessing facilities, information security, information security event, information security incident, policy, risk, risk analysis, risk assessment, risk evaluation, risk management, risk treatment, third party, threat, and vulnerability.

Section 3

Thise section describes the structure of the standard. It identifies 8 "clauses" consisting of:

Section 4 - Risk assessment and treatment

4.1 describes that risks should be assessed systematically, periodically, in a clearly defined manner, and with enterprise-wide scope.

4.2 identifies that a criteria is required for risk acceptance, that for each identified risk avoidance, acceptance, transfer, or mitigation are selectable, that legislation and regulation, organizaitonal objectives, and operaitonal needs, costs, and a balance between risk mitigaiton value and cost should be drawn.

It also asks that controls be sonsidered as early in the process as possible to reduce costs and consequences and expresses that security is not and cannot be perfect.

Section 5 - Security Policy

The objective of policy is identified as management guidance with clarity.

5.1 Information security policy covers the policy document, and policy review.

Section 6 Organization of information security

Section 6.1 covers internal organization while section 6.2 dicusses external parties.

Section 7 - Asset management

Seciton 7.1 discusses responsibility for assets, while 7.2 is about information classification.

Section 8 - Human resources security

Section 8.1 is about th3e time before employment while 8.2 is about the employment period and 8.3 is about termination or change of employment.

Section 9 - Physical and environmental security

Section 9.1 is about secure areas while section 9.2 is about equipment security.

Section 10 - Communications and operations management

Section 10.1 is about operational procedures and responsibilities while sectiojn 10.2 is about external parties delivering services (outsourcing) and 10.3 is about system planning and acceptance. Section 10.4 is about malicious and mobile code and section 10.5 is about backups and 10.6 is about network security management. 10.7 covers media handling and 10.8 covers exchanges of information. 10.9 is about e-commerce while 10.10 is about monitoring things..

Section 11 - Access control

Section 11.1 is about business requirements while 11.2 is about user controls and 11.3 is about user responsibilities. 11.4 drills down into network access control, 11.5 examines operating system access controls, 11.6 is about applicaiton level controls, and 11.7 is focussed on mobile computing.

Section 12 - System development and acquisition

12.1 focuses on security requirements while 12.2 focuses on correct processing. 12.3 is about cryptographic controls while 12.4 is about control of system files. 12.5 focuses on the development and support processes, 12.6 centers around vulnerability management.

Section 13 Information security incident management

13.1 is about reporting security events and weaknesses, while 13.2 is about managing incidents and improvements.

Section 14 - Business continuity management

14.1 covers information security aspects of business continuity management.

Section 15 - Compliance

Section 15.1 is about compliance with legal requirements while 15.2 is about compliance with policies, standards, and technical specifications and 15.3 is about audit considerations.

Biography and Index

A substantial biography and index is provided.