ISO17799, or BS7799, is a detailed security standard. It is organised into ten major sections, each covering a different topic or area.

There is still some confusion regarding the what the differences between between BS7799 and ISO17799 actually are.  BS7799 Part 1 (BS 7799-1:1999) and ISO17799 (ISO/IEC 17799) are essentially the same. With one or two minor modifications, BS7799-1 was published as ISO/IEC 17799 in December 2000.  Perhaps the confusion arises from the fact that there is a second part to BS7799. This is a discrete publication and covers information security management systems. It is not an ISO document.

Outlined below are the ten major sections and a brief description of what each area of ISO 17799 covers:

Business Continuity Planning - To counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.

System Access Control - To control access to information; to prevent unauthorised access to information systems; to ensure the protection of networked services; to prevent unauthorized computer access; to detect unauthorised activities; to ensure information security when using mobile computing and tele-networking facilities.

System Development and Maintenance - To ensure security is built into operational systems; to prevent loss, modification or misuse of user data in application systems; to protect the confidentiality, authenticity and integrity of information; to ensure IT projects and support activities are conducted in a secure manner; to maintain the security of application system software and data.

Physical and Environmental Security - To prevent unauthorised access, damage and interference to business premises and information; to prevent loss, damage or compromise of assets and interruption to business activities; to prevent compromise or theft of information and information processing facilities.

Compliance - To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements; to ensure compliance of systems with organisational security policies and standards; to maximize the effectiveness of and to minimize interference to/from the system audit process.

Personnel Security - To reduce risks of human error, theft, fraud or misuse of facilities; to ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; to minimise the damage from security incidents and malfunctions and learn from such incidents.

Security Organisation - to manage information security within the Company; to maintain the security of organizational information processing facilities and information assets accessed by third parties; to maintain the security of information when the responsibility for information processing has been outsourced to another organization.

Computer & Operations Management - To ensure the correct and secure operation of information processing facilities; to minimise the risk of systems failures; to protect the integrity of software and information; to maintain the integrity and availability of information processing and communication; to ensure the safeguarding of information in networks and the protection of the supporting infrastructure; to prevent damage to assets and interruptions to business activities; to prevent loss, modification or misuse of information exchanged between organizations.

Asset Classification and Control - To maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection.

Security Policy - To provide management direction and support for information security.

Within each section are the detailed statements that comprise the standard.

So how do you gain accreditation?

http://www.iso17799-made-easy.com

http://www.iso17799.net

For more information visit the BSI Website.