What's new in the revision of ISO 17799

As we all know, information security is a continuous exercise, not a one-off event, and so ISO 17799, a code of practice for information security management, has itself been recently revised and updated. ISO/IEC 17799:2005 was officially published on June 15, 2005. It cancels and replaces the old ISO/IEC 17799:2000 version, while the new ISO/IEC 27001, which covers information security management system (ISMS) requirements and can be used for ISO 17799 certification, was released in November 2005. Let's have a look at the changes to ISO 17799.

The most obvious change is that the new standard now has 11 security control clauses instead of ten, with 39 main security categories, some having been renamed and reorganized. The way the information is presented has also been standardized so that it will fit with future security standards, making it more readable and user friendly. The new structure is as follows:

• Security Policy
• Organizing Information Security
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Information Systems Acquisition, Development and Maintenance
• Information Security Incident Management
• Business Continuity Management
• Compliance

The sections covering legal and privacy requirements, physical security, access control, secure coding and incident response have all been updated, while more emphasis has been given to management responsibilities and managing human resources. There is certainly better direction given on handling security incidents and the security issues around outsourcing and contracting with service providers. While there is less emphasis in the guidance on mainframe computers, the problems of patch management, mobile devices, wireless technologies and malicious mobile code are now covered, reflecting the impact the Internet is having on information security.

Additional new controls have been introduced to address the emerging issues not previously covered, taking the total number of controls to 134, which reside within the 11 security control clauses above. 36 control areas and controls were either deleted or moved from the 2000 standard, while 46 new control areas and controls have been added, including those that were deleted and modified into new sections.

So do these updates maintain ISO 17799 as the standard code of practice for information security? Gartner forecasts that it will be the most common standard used to judge the information security posture of an organization, and the National Cyber Security Partnership

More information on ISO 17799 Visit our resource center for more tips and expert advice on ISO 17799 compliance.

recently recommended its use. The number of certified organizations in North America is certainly continuing to grow, as do purchases of the standard. In Europe and the Pacific Rim, it is fast becoming the de facto standard as it establishes an international common language for information security. It certainly looks like this standard is going to be around for a while. Resources invested in ISO 17799 compliance will not be wasted, as compliant and certified organizations can reassure customers and satisfy lawmakers that recognized processes to deal with information security threats and compliance regulations are in place.

There are plans to update this version again in 2007, and no doubt there will be a need to review the guidance on telephony due to VoIP, and to cover Instant Messaging and group collaboration via the Internet. Meanwhile, further standards covering information security management systems are already being developed. ISO/IEC 27003 will cover Information Security Management System (ISMS) implementation guidance, ISO/IEC 27004 will deal with information security management measurement and metrics, while the proposed ISO/IEC 27005 will look at ISMS risk management. If you are serious about protecting your data assets then this series of information security standards is a great place to start as it allows you to benefit from common best practice and to optimize costs by following standardized rather than specially developed methods.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Risk Management Strategies,   Security Audit, Compliance and Standards,   ISO 17799,   Standards,   Compliance,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Cloud computing in 2010: Be ready for risk management challenges How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues ISO 17799 Benefits of ISO 27001 and ISO 27002 certification for your enterprise Tony Spinelli: Prioritize Information Security over Compliance How to write a risk methodology that blends business, security needs IT auditing applications and tools for ISO 27002 certification Security survey finds increase in security standards adoption Mix of Frameworks and GRC Satisfy Compliance Overlaps GRC: Over-Hyped or Legit? Is the Orange Book still relevant for assessing security controls? How do ISO 17799 and SAS 70 differ? How to apply ISO 27002 to PCI DSS compliance Standards IT Infrastructure Library: Regulatory compliance benefits and training options Establishing Essential Controls Alphabet soup: Understanding standards for risk management and compliance Introduction to COBIT for SOX compliance Standards-based compliance: A how-to guide Security building blocks with ISO 17799 RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.