ISO17 -- Setting the Standard in Information Security Management

ISO 17799 is an internationally recognized information security management guidance standard, first published by the International Organization for Standardization (ISO) in December 2000. Its predecessor, the British standard BS 7799, has existed in various forms for a number of years, although the standard only really gained widespread recognition following publication by ISO.

ISO 17799 is high level, broad in scope, and conceptual in nature. This approach allows it to be applied across multiple types of enterprises and applications. It has also made the standard controversial among those who believe standards should be more precise. In spite of this controversy, ISO 17799 is the only "standard" devoted to Information Security Management in a field generally governed by "Guidelines" and "Best Practices."

ISO 17799 defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of:

Confidentiality - ensuring that information is accessible only to those authorized to

have access

Integrity - safeguarding the accuracy and completeness of information and

processing methods

Availability - ensuring that authorized users have access to information and

associated assets when required

As a standard that is primarily conceptual, ISO 17799 is not:

A technical standard

Product or technology driven

Related to the five-part "Guidelines for the Management of IT Security," or GMITS/

ISO 13335, which provides a conceptual framework for managing IT security

Part: 1 of 2