Leading Edge Practices

The ISO 17799: 2005 Standard

The International Organization for Standardization's (ISO's) 17799: 2005 Standard is an information security management code of practice that provides a broad, nontechnical framework to establish effective IT controls. The standard, which was updated in June 2005 to reflect changes in the field of information security, provides a high-level view of information security from different angles ― known as security clauses ― and a comprehensive set of information security best practices.

More specifically, ISO 17799 is designed for companies that wish to develop effective information security management practices and enhance their IT security efforts. Among other things, the standard provides valuable information to senior managers on security-related issues that can be used before conducting a risk assessment, including best practices on how to identify critical assets. The standard also provides information on the role organizational structures play as part of the company's information security efforts, such as the various types of administrative, technical, and physical controls used to mitigate risk.

The ISO 17799 Standard consists of 11 clauses that are divided into one or more security categories ― each with a clear control objective ― for a total of 39 security categories. (Refer to Table 1 for a complete list of all security clauses.) The control objectives in each clause are designed to meet the requirements identified by a risk assessment and can be used as a common basis and practical guideline for developing organizational security standards and effective security management practices.

Table 1. Clauses in the ISO 17799: 2005 Standard

For more information about the standard visit the ISO Web site or read "Are You Familiar With the Most Recent ISO/IEC 17799 Changes?" published in the June 10, 2006 issue of ITAudit.

Site Search: