What is the ISO 17799 standard, and why is it so important?

ISO (International Standards Organization) 1799 is an internationally-recognized information security standard. The ISO 17799 originated from a British Standard, and they are still closely linked. While the extent of adaptation and compliance to this standard is still emerging, ISO 17799 is the most recognized international information security standard.

This standard is very important because it is widely used as a benchmark by auditors and consultants in the United States and abroad to evaluate the adequacy of controls over information systems.

Similar to the NIST SP-800-14, this standard has two parts: ISO 17799 Standards, which outline a code of practice and the BS (British Standard) 7799 Part 2, which detail controls for securing and managing information systems.

ISO 17799 is made up of 10 security domains and generally accepted practices within each domain. The security domains are:

1. Security Policy
2. Organizational Security
3. Asset Classifications
4. Personal Security
5. Physical and Environmental Security
6. Communication and Operations Management
7. Access Control
8. System Development and Maintenance
9. Business Continuity Management
10. Compliance

An organization can obtain ISO 17799 certification in asserting they are ISO 17799 compliant. Certification, however, is still not common and may not be cost-effective or needed for many organizations. Many industry experts anticipate that the ISO 17799 standards and potential certification will gain momentum as domestic and international privacy and security laws and risks continue to increase.

MS2 maps its findings to the ISO framework to support organizations that either chose or are required to use this standard in managing and auditing their security programs.