ISO17799 Newsletter - Issue 1
Welcome to the first edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to 17799 and information security. The newsletter will comprise a combination of inclusive articles and the identification of useful and topical sources on the web.
This initial edition covers:
- BS7799/ISO17799 - Same Standard, Different Cover
- Difference between May 99 and Dec 00
- Where to find ISO17799 online
- Complying with ISO17799 - Security Policies
- Complying with ISO17799 - Risk Analysis
- Risk Analysis & ISO17799 Compliance Tools
- Positioning & Certification
BS7799/ISO17799 - SAME STANDARD DIFFERENT COVER
It is worth clearing this up at the outset, as it confuses many people. The core content of the latest editions of these standards IS the same. The documents simply have different badges, intros, etc.
Much of the confusion stems from the fact that earlier edition of BS7799 (which preceded ISO17799) did have some differences. However, this is no longer the case - buy one and you effectively buy both.
DIFFERENCE BETWEEN MAY 99 AND DEC 2000
As stated, the previous version of BS7799 (May 99) did have minor differences. These have been identified by BSI, who can now provide a PDF list of the upgrade changes.
WHERE TO FIND ISO17799 ONLINE
Strangely, a source for the core standard itself has so far been relatively difficult to find (OK - the web is BIG!). However, BS7799/ISO17799 can now be found directly and purchased online from: The BSI Electronic Shop
COMPLYING WITH ISO17799 - SECURITY POLICIES
Section 3.1 of ISO17799 states that "Management should set a clear policy direction and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization".
Having a security policy document (or dusting down an old one) may well not be enough... to match the requirements of 17799 the policies must meet very clear demands.
Common routes forward to achieve this include:
a) A full review of existing policies, matching them line by line with ISO17799 and its expectations.
b) The purchase of a set of pre-written policies which have been designed in full cognizance of the requirements of the standard.
With respect to the latter, the security policies available from Security Policy World is perhaps the most directly applicable offering. It has been designed to meet the needs of 17799 specifically. Each policy (and there are hundreds) also contains direct cross reference to the applicable ISO17799 section.
Another neat feature is that the policies can also be delivered interactively to the desktop, as an alternative to a traditional static document.
COMPLYING WITH ISO17799 - RISK ANALYSIS
A common theme throughout ISO17799 is the requirement for security risk analysis.
Finding good source material for this is not always straightforward... hopefully the ISO17799 Newsletter can help. Although there is a myriad of sites on this topic, we have produced one which explains the theory and base methodology for most major approaches: Security Risk Analysis
One recommendation worth contemplating with respect to risk: establish the relationship between risk analysis and compliance with security policy (and indeed the standard) at the outset. Both of these elements are fundamental to your security profile and must complement each other to be fully effective.
Proper thought and consideration of how they will interact now may well pay dividends later.
If you are interested in sponsoring this newsletter
please contact us at the email address below
SPONSORED ITEM: RISK ANALYSIS & ISO17799 COMPLIANCE TOOLS
It is probably worth mentioning the most widely used risk & iso17799 compliance product at this point. What perhaps makes COBRA so popular is its versatility, covering risk analysis, direct compliance with ISO17799, and a number of other key functions (eg: disaster recovery audit).
Again, confusion may arise due to the sheer volume of resellers for this system. The major portal for COBRA, however, is that owned by Risk Associates
POSITIONING OR CERTIFICATION?
A very individual question for each organization is how far to go along the ISO17799 path. For some, nothing less than full certification will do, due to a variety of possible reasons. For many, however, a positioning brief is adequate.... reaching a position of compliance and then monitoring the market and industry carefully.
For most, the correct posture will be self evident. However, for those unsure of how far to proceed, the online presentation at: ISO17799 Introduction may be helpful. This presents ISO17799 in the context of past, present and possible future.