ISO/CEI 17799

ISO/CEI 17799 is an international standard concerning the Sécurité of information, published in December 2000 by the ISO whose title is Code of practice for the management of safety of information . The 2nd edition was published in June 2005.

The ISO/CEI 17799 is a whole of recommendations known as “best practices” (French good practices), intended to be used by all those which are responsible for the installation or the maintenance of the Management system of the safety of information. This information system security is defined within the standard as “the safeguarding of the confidentiality (to make sure that information is accessible from the only authorized people), of the integrity (conservation of the validity and the entirety of information and methods of treatment), and of the availability (the authorized users must have access to information with each time necessary)”.

This standard does not have an obligatory force for the companies. Its respect can however be mentioned in a contract: a service provider could thus commit himself respecting the practices standardized in his relations with a customer.

Contents of the standard

ISO/CEI 17799 is composed of ten principal sections, which cover the security management as well in its technical sides as in its organisational aspects:

the Security policy.
the organization of safety.
Classification in control of information.
Human factors.
physical Safety.
Networks breakdowns and exploitation (Management of the communications and the operations).
Controls of the access.
Development and maintenance of applications.
Continuation of the activity.
Respect of the laws, licenses, payments, etc

Each section specifies the objectives to be reached and enumerates a whole of controls (the “best practices”) making it possible to achieve these goals. The standard does not detail controls because each organization is supposed to carry out an evaluation of its own risks in order to determine its needs before choosing controls which will be adapted in each possible case.

Related national standards

The ISO/CEI 17799 has national equivalents in several countries like Australia and the News Zealand (AS/NZS 4444), Holland (SPE 20003), Sweden (S 627799), Japan (JIS X 5080) and United Kingdom (BS7799: 1999 Leave 1 - the original standard from where word for word ISO/CEI 17799:2000 is resulting). The second part of standard BS7799 (BS7799: 2002 Leave 2 Information security management systems - Share 2: Specification with guidance for uses ) list a whole of conditions to establish, implement, maintain and improve a management system of the safety of information in using the “best practices” defined in ISO: IEC17799. It is possible for an organization to be made certify BS7799-2 (or national equivalent) by organizations of certification accredited by the national organizations of standardization.

References

ISO/CEI 17799:2000
BS 7799-2: 2002

Appendices

See too

External bonds

British Standards Institute
official Description of standard ISO/IEC 27001:2005
International Group of the Users ISO 27000/17799 (English)

Random links: