ISO 17799: Infosec Risk Assessment Standard
Saturday, November 29th, 2008ISO, the International Organization for Standardization, is the world’s leading developer of International Standards, ensuring product and information interoperability. One of their most widely adopted standards is ISO/IEC 17799:2005, which establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. This is especially important in the increasingly interconnected business environment, where information is now exposed to a growing number and a wider variety of threats and vulnerabilities.
Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. It is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. This should be done in conjunction with other business management processes.
The objectives outlined in ISO/IEC 17799:2005 provide general guidance on the commonly accepted goals of information security management and contain best practices controls in the following areas of information security management:
- information security policy
- asset management
- human resources security
- physical and environmental security
- communications and operations management
- access control
- information systems acquisition, development and maintenance
- information security incident management
- business continuity management
- compliance
The control objectives and controls in ISO/IEC 17799:2005 can be used by an organization to assess the risk of doing business with partners, customers and suppliers and are a good indicator or an another organization’s IT and business process maturity.
