Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISO17799 / BS 7799-2 ISO 17799 / BS 7799-2. Introduction Information security has always been a major challenge to most organizations. Computer infections.

Published byChastity Shaw Modified over 7 years ago

Similar presentations

Presentation on theme: "ISO17799 / BS 7799-2 ISO 17799 / BS 7799-2. Introduction Information security has always been a major challenge to most organizations. Computer infections."— Presentation transcript:

1 ISO17799 / BS 7799-2 ISO 17799 / BS 7799-2

2 Introduction Information security has always been a major challenge to most organizations. Computer infections by the “I-Love-You” virus, the 9-11 terrorist attacks and the crippling electrical blackouts in the northeastern United States in 2003 are just a few well-known examples of the need to come to terms with information­related risks. Unfortunately, organizations forget too quickly that information security is more than a simple matter of technology. In reality, it should be part of an ongoing risk management process, covering all of the information that needs to be protected

3 What is information security? Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business losses and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, whatever the means by which it is shared or stored, it should always be appropriately protected.

4 Information security consists of preserving the following elements: a) confidentiality : ensuring that information can only be accessed by those with the proper authorization; b) integrity : safeguarding the accuracy and completeness of information and the ways in which it is processed; c) availability : ensuring that authorized users have access to information and associated assets whenever required. Information security elements

5 Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established in order to ensure that the specific security objectives of the organization are met.

6 What is BS 7799 / ISO 17799? The goal of BS 7799 / ISO 17799 is to “provide a common base for developing organizational security standards and effective security management practice and to provide confidence in inter- organizational dealings.” The standard is published in two parts: –ISO/IEC 17799 Part 1: Code of practice for information security management –BS 7799 Part 2: Information security management -- specifications with guidance for use

7 ISO/IEC 17799 Part 1 The international standard ISO/IEC 17799 was developed by the British Standards Institution (BSI) as BS 7799. It was adopted through a special “fast track procedure” by the JTC 1 (Joint ISO/IEC Technical Committee), concurrently with its approval by the national member institutes of ISO and the IEC. ISO/IEC 17799 is presented in the form of guidelines and recommendations that were assembled following consultations with big business. The 36 security objectives and 127 security controls contained in ISO/IEC 17799 are divided among ten domains

8

9 BS 7799 Part 2 BS7799 provides conditions for information security management. Comprised of the ten domains and 127 controls of the ISO 17799 standard, this reference applies to the development, implementation and maintenance stages of an information security management system. Organizations applying for certification are evaluated according to this document. An organization that bases its ISMS on the provisions in BS 7799 can obtain certification from an accredited body

10 What is an ISMS? An Information Security Management System (ISMS) provides a systematic approach to managing sensitive information in order to protect it. It encompasses employees, processes and information systems. Information security involves more than simply installing a firewall or signing a contract with a security firm. In this field it is essential to integrate multiple initiatives within a corporate strategy so that each element provides an optimal level of protection. This is where information security management systems come into play - they ensure that all efforts are coordinated in order to acheive optimum security. A management system must therefore include an evaluation method, safeguards and a documentation and revision process. This is the underlying principle of the PDCA (Plan-Do-Check-Act) model which strongly resembles the ISO 9001 model for quality management.

11

12 Plan - Define the ISMSscope and the organization’s security policies -Identify and assess risks -Select control objectives and controls that will help manage these risks -Prepare the statement of applicability Do -Formulate and implement a risk mitigation plan -Implement the previously selected controls in order to meet the control objectives. Check -Perform monitoring procedures -Conduct periodic reviews to verify the effectivenessof the ISMS -Review the levels of acceptable and residual risk - Periodically conduct internal ISMSaudits Act -Implement identified ISMS improvements -Take appropriate corrective and preventive action -Maintain communications with all stakeholders -Validate improvements

13 Complementarity of BS7799 / ISO 17799 As of the new 2002 revision, BS7799-2 is harmonized with the standards for other well­known management systems, such as ISO 9001:2000 and ISO 14001:1996. Indeed, numerous companies are aware of or have implemented a quality management system (QMS) using ISO 9001, or an environment management system (EMS) using ISO 14001. BS 7799-2 now follows the same structure and has much the same requirements for developing an Information Security Management System (ISMS).

Download ppt "ISO17799 / BS 7799-2 ISO 17799 / BS 7799-2. Introduction Information security has always been a major challenge to most organizations. Computer infections."

Similar presentations

ISMS implementation and certification process overview

ISMS implementation and certification process overview
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Developing a Risk-Based Information Security Program

Developing a Risk-Based Information Security Program
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
The International Security Standard

The International Security Standard
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Auditing Concepts.

Auditing Concepts.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems

Auditing Computer Systems
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008.

ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
ISO General Awareness Training

ISO General Awareness Training
How ISO Standards Relates to Usability:. INTRODUCTION/ Before we can relate the ISO standards to usability, first we need to know what the meaning of.

How ISO Standards Relates to Usability:. INTRODUCTION/ Before we can relate the ISO standards to usability, first we need to know what the meaning of.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
/ Information Security Seminar

/ Information Security Seminar
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Quality Manual for Interoperability Testing Morten Bruun-Rasmussen Presented by Jos Devlies, Eurorec.

Quality Manual for Interoperability Testing Morten Bruun-Rasmussen Presented by Jos Devlies, Eurorec.
Agenda Review homework Final Exam requirments ISO 9000 Baldridge

Agenda Review homework Final Exam requirments ISO 9000 Baldridge

Similar presentations

Ads by Google