ISO 17799 is a descendant of the British Standard Institute (BSI) Information Security Management standard BS 7799.While many organizations use the BS 7799 standard, demand grew for an internationally recognized information security standard under the directions of an internationally recognized body, such as the ISO. This demand led to BSI fast- tracking BS 7799 Part 1, resulting in the initial release of ISO 17799 by the ISO. Currently, only BS 7799 Part 1 has been accepted for ISO standardization. ISO standardization for part two is not currently being pursued.
ISO 17799 is the only standard focused on Information Security Management in a field generally governed by guidelines and best practices.
ISO 17799 is organized into ten major sections:
- Business Continuity Planning
- System Access Control
- System Development and Maintenance
- Physical and Environmental Security
- Personnel Security
- Security Organization
- Computer and Network Management
- Asset Classification and Control and
- Security Policy.
ISO 17799 is a compilation of recommendations for best security practices that can be applied by any business, and was written with flexibility in mind. Its recommendations are technology-neutral, in that they do not provide help in evaluating or understanding existing security measures. It discusses the need for intrusion prevention systems, but does not speak to how they should be used. Detractors have suggested that ISO 17799 is too vague.
The future of ISO 17799 seems bright, as the bandwagon of support continues to gain momentum.
Establishing a universally recognized standard of security policies and practices is tremendously appealing. ISO 17799’s chief attribute is its flexibility. Written in an open framework, the standard’s compilation of best practices can be applied by any organization regardless of size or industry.
The information security community around the world is watching ISO 17799 carefully. With the current level of acceptance, this standard has the potential to rival the success of any other information security standard.