An improved version of the joint ISO/IEC standard that has become the burgeoning e-commerce community’s international benchmark for information security management has just been published.
The modern interconnected e-commerce environment, with information now exposed to a growing number and a wider variety of threats and vulnerabilities, is the main beneficiary of the standard.
Ted Humphreys, Convenor of the ISO/IEC working group that developed ISO/IEC 17799:2005, said: “The revised version of this standard provides organizations with many state-of-the-art additions and improvements in information security best practice.
“For example, better management of security arrangements with external businesses, outsourcing and service providers, enhanced indicant handling capability, dealing with problems of patch management, mobile devices, wireless technologies and harmful mobile code via the Internet, improvements in best practice managing human resources and several other new features.”
ISO/IEC 17799:2005 is a code of practice for information security management. It is not a certification standard and was neither designed, nor is it suitable for this purpose. It will be followed in the last quarter of the year (publication currently expected in November 2005) by the specification standard ISO/IEC 27001, Information security management system (ISMS) requirements, which can be used for certification.
The new version addresses the security of information in its widest sense, providing best business practice, guidelines and general principles for implementing, maintaining and managing information security in any organization, producing and using information in any form.
Any organization has assets, essential to its continuity. Arguably, information in its various forms is the most important asset, be it printed, stored electronically, posted or e-mailed, shown on film or spoken. For most businesses, information security may be essential to maintain competitive edge, cash flow, profitability, legal compliance and commercial image. But many businesses and most non-business organizations may hold information as their only asset. An absence of information security may threaten their integrity and, therefore, very existence.
ISO/IEC 17799:2005 recognizes that the level of security that can be achieved purely through technical means is limited. The required level of security – established through assessing the levels of risk and associated costs through breaches of security, against the costs of implementing security – should always be driven by appropriate management controls and procedures. Information security management requires, as a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties and customers.
ISO/IEC 17799:2005 identifies the controls that form the starting point for information security. It covers the critical success factors, the organization of information security, asset management, human resources, physical and environmental security, communications and operations management, information systems acquisition, development and maintenance, incident management, business continuity management and compliance. It is destined to become an essential tool for organizations of every type and size, whether public or private.
Ted Humphreys commented: “Users of this standard can also demonstrate to business partners, customers and suppliers that they are fit enough and secure enough to do business with, providing the chance for them to turn their investment in information security into business-enabling opportunities.
“In summary, this revised ISO/IEC 17799 is the most important of standard for managing information security that has been developed – it establishes a truly international common language for information security for all organizations around the world to engage with each other to do business.”
ISO/IEC 17799:2005, Information technology – Security techniques – Code of practice for information security management, costs 200 Swiss francs and is available from ISO national member institutes (see the complete list with contact details) and from ISO Central Secretariat (see below). It was developed by ISO/IEC Joint Technical Committee JTC 1, Information technology, Subcommittee SC 27, Security techniques, Working Group WG 1, Requirements, security services and guidelines.