ISO/IEC 17799, also known as ISO/IEC 27002, is an information security standard that provides a comprehensive set of best practices and guidelines for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). The standard offers a framework for managing information security risks and protecting sensitive information assets. Here's a detailed explanation of ISO/IEC 17799:
1. Background:
ISO/IEC 17799 was originally published in 2000 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It was later rebranded as ISO/IEC 27002 to align with the ISO 27000 series of information security standards.
2. Scope:
ISO/IEC 27002 covers a wide range of information security topics, including policies, procedures, technical controls, and management practices. It is applicable to all types and sizes of organizations, across various industries, and can be used to protect any form of information, whether digital or physical.
3. Structure:
The standard is organized into multiple sections, each focusing on a specific aspect of information security management. Some key sections and topics include:
a. **Information Security Policy and Organization**: Establishing and maintaining an information security policy, roles and responsibilities, and the management framework for information security.
b. **Human Resource Security**: Addressing security aspects during the employment lifecycle, including background checks, security awareness, and termination procedures.
c. **Asset Management**: Identifying and managing information assets, including data classification, ownership, and protection of assets.
d. **Access Control**: Implementing access controls, user authentication, and authorization mechanisms to ensure appropriate access to information.
e. **Cryptography**: Guidelines for the use of encryption and cryptographic mechanisms to protect sensitive data.
f. **Physical and Environmental Security**: Ensuring the physical security of facilities, equipment, and information assets.
g. **Operations Security**: Procedures and controls for secure system operations, backup, and network management.
h. **Communications Security**: Ensuring the security of network and communication channels, including data transfer, remote access, and electronic messaging.
i. **Incident Management**: Establishing an incident response and reporting process for handling security incidents and breaches.
j. **Business Continuity and Disaster Recovery Planning**: Preparing for and recovering from disruptive incidents that impact information security.
k. **Compliance and Legal Aspects**: Addressing legal and regulatory requirements related to information security, including privacy and intellectual property.
4. Implementation and Compliance:
Organizations that choose to adopt ISO/IEC 27002 can use it as a reference framework for building their ISMS. Compliance with ISO/IEC 27002 is often achieved through self-assessment, internal audits, and external certification audits conducted by accredited certification bodies.
5. Relationship with ISO/IEC 27001:
ISO/IEC 27002 is closely related to ISO/IEC 27001, which is the standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an ISMS. While ISO/IEC 27001 provides the framework for managing information security, ISO/IEC 27002 offers detailed guidance and controls for implementing specific security measures within that framework.
6. Continuous Improvement:
Like other ISO standards, ISO/IEC 27002 promotes a culture of continuous improvement. Organizations are encouraged to regularly review and update their information security policies and practices to address evolving threats and vulnerabilities.
In summary, ISO/IEC 27002 (formerly ISO/IEC 17799) is a comprehensive information security standard that provides guidance on best practices and controls for managing information security risks. It is widely recognized and used by organizations globally as a valuable resource for enhancing information security and protecting sensitive information assets. When used in conjunction with ISO/IEC 27001, it forms a robust framework for managing information security effectively.