Directory of information security policies,
& baseline standards, and
information security policy resources.

 Directory of information security policies and information security policy resources Contact Us Front Page

The Contents of ISO17799

ISO 17799 is an extremely detailed security standard, organized into ten major sections. Each section covers a different topic or area. The objectives of each of these are as follows:

** Security Policy **
To provide management direction and support for information security.

Business Continuity Planning
To counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.

System Access Control
1) To control access to information 2) To prevent unauthorized computer access 3) To prevent unauthorised access to information systems 4) To ensure the protection of networked services 5) To detect unauthorised activities. 6) To ensure information security when using mobile computing and tele-networking facilities

System Development & Maintenance
1) To ensure security is built into operational systems; 2) To ensure IT projects and support activities are conducted in a secure manner; 3) To prevent loss, modification or misuse of user data in application systems; 4) To protect the confidentiality, authenticity and integrity of information; 5) To maintain the security of application system software and data.

Physical and Environmental Security
To prevent unauthorised access, damage and interference to business premises and information; to prevent compromise or theft of information and information processing facilities; to prevent loss, damage or compromise of assets and interruption to business activities.

1) To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements 2) To ensure compliance of systems with organizational security policies and standards 3) To maximize the effectiveness of and to minimize interference to/from the system audit process.

Personnel Security
To reduce risks of human error, fraud, theft or misuse of facilities; to ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; to minimise the damage from security incidents and malfunctions and learn from such incidents.

Security Organisation
1) To manage information security within the Company; 2) To maintain the security of information when the responsibility for information processing has been outsourced to another organization. 3) To maintain the security of organizational information processing facilities and information assets accessed by third parties.

Computer & Operations Management
1) To ensure the correct and secure operation of information processing facilities; 2) To ensure the safeguarding of information in networks and the protection of the supporting infrastructure; 3) To minimise the risk of systems failures; 4) To protect the integrity of software and information; 5) To maintain the integrity and availability of information processing and communication; 6) To prevent damage to assets and interruptions to business activities; 7) To prevent loss, modification or misuse of information exchanged between organizations.

Asset Classification and Control
To maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection.

Within each of these ten sections are the detailed statements that comprise the bulk of the standard.



Copyright © 1993-2001    The Security Policies & Standards Group   
Gateway Listed