|Title:||ISO/IEC 17799:2005 - Information technology -- Security techniques -- Code of practice for information security management|
(Note: this is a reference to the ISO page where the standard can be acquired. However, the standard is not free of charge, and its provisions are not publicly available. For this reason, specific provisions cannot be quoted).
|Topic:||Standard containing generally accepted guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization, including business continuity management.|
|Direct / indirect relevance||Direct. While not legally binding, the text is a direct resource towards sound information security management.|
|Scope:||Not publicly available ISO standard, which can be voluntarily implemented.|
|Legal force:||Nonbinding ISO standard.|
|Affected sectors:||Generic. The standard can be implemented in any sector confronted by information security management.|
|Relevant provision(s):||The standard is not free of charge, and its provisions are not publicly available. For this reason, specific provisions cannot be quoted.
Generally, the contents of the abstract are described as follows:
‘ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
* security policy;
* organization of information security;
* asset management;
* human resources security;
* physical and environmental security;
* communications and operations management;
* access control;
* information systems acquisition, development and maintenance;
* information security incident management;
* business continuity management;
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.’
|Relevance to RM/RA:||The standard is a commonly used code of practice, and serves as a resource for the implementation of information security management practices and as a yardstick for auditing such practices.
(See also http://en.wikipedia.org/wiki/ISO/IEC_17799)