Corner Stones

Core features of ISO 17799 and BS7799-2 are:

• Easy to understand
• Independent of specific technology
• Does not only cover IT topics but also deals with organizational aspects
• Intended to cover business economics as well

1. Security Policy

   The Security Policy according to ISO 17799 defines essential guidelines for security. The policy is intended to support management decisions and explain the organization’s basic position regarding security and information security in particular.
   The policy is available as a document typically referencing additional documents containing more detailed information. These subordinate documents usually specify the steps for implementing the policy on a managerial, technological and organizational level.

2. Organizational Security

   Typically most effort goes into adapting ISO 17799 for organizational security. Organizational security defines which parts of the organization are responsible for what and how to react to events when they occur.
   Any measures defined here then need to be implemented applying suitable technology or infrastructure. For example, a construction project to install an access control system.

3. Asset Classification and Control

   All inventory needs to be accounted for and subsequently categorized by risk. Then the relevance of each entity for the business process can be evaluated and individual security requirements can be determined.

4. Access Control

   Access to assets is modeled using and access and roles concept. After auditing and documenting access control the concept is implemented using the appropriate technologies.

5. Compliance

   In this step the structure of ISO 17799 needs to be checked for compliance with national law and other limiting factors to make sure the standard is not in conflict with them.
   Still the security demands from the Security Policy must be met. Relevant laws are the KonTraG in Germany and the Sarbanes-Oxley Act as well as the Computer Security Act in the US.

6. Personal Security

   In contrast to other security concepts this standard also focuses on the human being as a risk factor.
   Employee training, for example, can be one tool for creating awareness of the importance and necessity of security. Different people can have different roles assigned to them. In addition liability is defined here.

7. Physical and Environmental Security

   Physical security can be achieved by dividing a building into different security zones and protecting these by appropriate access control systems. Specific locations or work places can be secured individually (physically or virtually). Related topics are fire protection and protection against eavesdropping.

8. Systems Development and Maintenance

   ISO 17799 specifically addresses how to secure system upgrades and new technology from an organizational as well as a technological perspective.

9. Communications and Operations Management

   This part covers typical business processes and adds a security layer on top of existing processes, such as ITIL.
   Additional aspects are revision-proof archiving and forensicly safe destruction of data and documents.
   Responsibility for normal operations and information exchange between organizations and staff as well as communication with external organizations is defined here.

10. Business Continuity Management

    BCP (Business Continuity Planning) aims at uncovering risks for the business process and defining emergency measures to enable the organization to resume normal operations as quickly as possible.
    Emergency and recovery drills should be part of every good BCP.

Implementation of ISO 17799