INFORMATION SECURITY
STANDARD
MSA / ISO 17799
BS 7799
–
ISO 17799
ISO/IEC 27002
1
Historical Developments
ISO/IEC 27002
is an
Information Security Standard
published by the
International Standards for
Organisation
(ISO) and by the
International
Electrotechnical Commission
(IEC)
It was originally published
as
ISO/IEC 17799:2000
.
Then i
t
has been
subsequently renumbered ISO/IEC
27002:2005 in July 2007, bringing it into line with
the other
ISO/IEC 27000 series
of
standards.
2
Historical Developments
It is entitled
Information technology
-
Security
techniques
-
Code of practice for information security
management
.
The current standard is a revision of the version first
published by ISO/IEC in
2000
, which was a word
-
for
-
word copy of the British Standard (BS) 7799
-
1:1999
The Malta Standards Authority adopted the BS
7799 as is (MSA/ISO
–
17799)
3
Introduction
ISO/IEC 27002 provides
best practice
recommendations on information security
management for use by those responsible for
initiating, implementing or maintaining
Information
Security Management Systems
(ISMS).
4
Contents of the Standard
-
1
The
standard contains the following twelve main sections:
1.
Risk Assessment
2.
Security Policy
-
M
anagement
direction
3.
Organi
s
ation
of
I
nformation
S
ecurity
-
G
overnance
of
I
nformation
S
ecurity
4.
Asset Management
-
I
nventory
and
C
lassification
of
I
nformation
A
ssets
5.
Human
R
esources
S
ecurity
-
S
ecurity
A
spects
for
E
mployees
J
oining
,
M
oving
and
L
eaving
an
O
rgani
s
ation
6.
Physical and Environmental
-
P
rotection
of
C
omputer
F
acilities
7.
Communications and
O
perations
M
anagement
-
management of technical security controls in systems and networks
5
Contents of the Standard
-
2
8.
Access Control
-
R
estriction
of access rights to
networks, systems, applications, functions and data
;
9.
Information Systems Acquisition, Development and
Maintenance
-
B
uilding
security into applications
;
10.
Information security incident management
-
A
nticipating
and responding appropriately to
information security breaches
;
11.
Business Continuity Management
-
P
rotecting
,
maintaining and recovering business
-
critical processes
and systems
;
12.
Compliance
-
ensuring conformance with
Information
Security Policies
, standards, laws and regulations
.
6
Section 4
–
Security Organisation
4.1
Information Security Infrastructure
4.2
Security and Third Party
Access
4.3 Outsourcing
7
Section 5 Asset Classification and
Control
5.1
Accountability for
assets
5.2
Information Classification
8
Section 6
–
Presonnel Security
6.1
Security in Job Definition and
Resourcing
6.2
User
Training
6.3
Responding to Security Incidents and Malfunctions
9
Section 7
–
Physical and Environmental
Security
7.1
Secure
Areas
7.2
Equipment
Security
7.3
General Controls
10
Section 8
-
Communications and
Operations Management
8.1
Operational Procedures and
Responsibility
8.2
System Planning and
Acceptance
8.3
Protection Against Malicious
Software
8.4 Housekeeping
8.5
Network
Management
8.6
Media Handling and
Security
8.7
Exchanges of Information and Software
11
Section 9
–
Access Control
9.1
Business Requirement for Access
Control
9.2
User Access
Management
9.3
User
Responsibilities
9.4
Network Access
Control
9.5
Operating System Access
Control
9.6
Application Access
Management
9.7
Monitoring System Access and
Use
9.8
Mobile Computing and
Telenetworking
12
Section 10
-
System Development and
Maintenance
1
0.1
Security Requirements of
Systems
1
0.2
Security in Application
Systems
1
0.3
Cryptographic
Controls
1
0.4
Security of System
Files
1
0.5
Security in Development and Support Processes
13
Section 11
-
Business Continuity
Management
1
1.1
Aspects of Business Continuity Management
14
Section 12
-
Compliance
12.1 Compliance with Legal Requirements
1
2.2 Reviews of Security Policy and Technical
Compliance
12.3 System Audit Considerations
15
Part 2
-
Introduction
This is the 'specification' for an Information Security
Management System (ISMS). It is the means to
measure, monitor and control security management
from a top down perspective. It essentially explains
how to apply ISO 17799 and it is this part that can
currently be certified against.
16
Part 2
-
Contents
Part 2 defines a six part 'process', roughly as
follows:
-
Define a security policy
-
Define the scope of the ISMS
-
Undertake a risk assessment
-
Manage the risk
-
Select control objectives and controls to be
implemented
-
Prepare a statement of applicability.
17
Question Time
18
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο