As we all know, information security is a continuous exercise, not a one-off event, and so ISO 17799, a code of practice for information security management, has itself been recently revised and updated. ISO/IEC
The most obvious change is that the new standard now has 11 security control clauses instead of ten, with 39 main security categories, some having been renamed and reorganized. The way the information is presented has also been standardized so that it will fit with future security standards, making it more readable and user friendly. The new structure is as follows:
- Security Policy
- Organizing Information Security
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
The sections covering legal and privacy requirements, physical security, access control, secure coding and incident response have all been updated, while more emphasis has been given to management responsibilities and managing human resources. There is certainly better direction given on handling security incidents and the security issues around outsourcing and contracting with service providers. While there is less emphasis in the guidance on mainframe computers, the problems of patch management, mobile devices, wireless technologies and malicious mobile code are now covered, reflecting the impact the Internet is having on information security.
Additional new controls have been introduced to address the emerging issues not previously covered, taking the total number of controls to 134, which reside within the 11 security control clauses above. 36 control areas and controls were either deleted or moved from the 2000 standard, while 46 new control areas and controls have been added, including those that were deleted and modified into new sections.
So do these updates maintain ISO 17799 as the standard code of practice for information security? Gartner forecasts that it will be the most common standard used to judge the information security posture of an organization, and the National Cyber Security Partnership
recently recommended its use. The number of certified organizations in North America is certainly continuing to grow, as do purchases of the standard. In Europe and the Pacific Rim, it is fast becoming the de facto standard as it establishes an international common language for information security. It certainly looks like this standard is going to be around for a while. Resources invested in ISO 17799 compliance will not be wasted, as compliant and certified organizations can reassure customers and satisfy lawmakers that recognized processes to deal with information security threats and compliance regulations are in place.
There are plans to update this version again in 2007, and no doubt there will be a need to review the guidance on telephony due to VoIP, and to cover Instant Messaging and group collaboration via the Internet. Meanwhile, further standards covering information security management systems are already being developed. ISO/IEC 27003 will cover Information Security Management System (ISMS) implementation guidance, ISO/IEC 27004 will deal with information security management measurement and metrics, while the proposed ISO/IEC 27005 will look at ISMS risk management. If you are serious about protecting your data assets then this series of information security standards is a great place to start as it allows you to benefit from common best practice and to optimize costs by following standardized rather than specially developed methods.
About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
This was first published in February 2006