ISO17 -- Setting the Standard in Information Security Management

The ISO 17799 standard is organized into 10 major sections, each covering a different topic or area.

1. Business Continuity Planning
The objectives of this section are: To counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.

2. System Access Control
The objectives of this section are: 1) To control access to information; 2) To prevent unauthorized access to information systems; 3) To ensure the protection of networked services; 4) To prevent unauthorized computer access; 5) To detect unauthorized activities; 6) To ensure information security when using mobile computing and tele-networking facilities.

3. System Development and Maintenance
The objectives of this section are: 1) To ensure security is built into operational systems; 2) To prevent loss, modification or misuse of user data in application systems; 3) To protect the confidentiality, authenticity and integrity of information; 4) To ensure IT projects and support activities are conducted in a secure manner; 5) To maintain the security of application system software and data.

4. Physical and Environmental Security
The objectives of this section are: To prevent unauthorized access, damage and interference to business premises and information; to prevent loss, damage or compromise of assets and interruption to business activities; to prevent compromise or theft of information and information processing facilities.

5. Compliance
The objectives of this section are: 1) To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements; 2) To ensure compliance of systems with organizational security policies and standards; 3) To maximize the effectiveness of and to minimize interference to/from the system audit process.

6. Personnel Security
The objectives of this section are: To reduce risks of human error, theft, fraud or misuse of facilities; to ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; to minimize the damage from security incidents and malfunctions and learn from such incidents.

7. Security Organization
The objectives of this section are: 1) To manage information security within the Company; 2) To maintain the security of organizational information processing facilities and information assets accessed by third parties; 3) To maintain the security of information when the responsibility for information processing has been outsourced to another organization.

8. Computer & Network Management
The objectives of this section are: 1) To ensure the correct and secure operation of information processing facilities; 2) To minimize the risk of systems failures; 3) To protect the integrity of software and information; 4) To maintain the integrity and availability of information processing and communication; 5) To ensure the safeguarding of information in networks and the protection of the supporting infrastructure; 6) To prevent damage to assets and interruptions to business activities; 7) To prevent loss, modification or misuse of information exchanged between organizations.

9. Asset Classification and Control
The objectives of this section are: To maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection.

10. Security Policy
The objectives of this section are: To provide management direction and support for information security.

Part: 2 of 2