ISO/IEC 17799:2005

Information Security Management establishes guidelines and general principles for organizations to initiate, implement, maintain, and improve information security management.

ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management.

  • Security policy.
  • Organization of information security.
  • Asset management.
  • Human resources security.
  • Physical and environmental security.
  • Communications and operations management.
  • Access control.
  • Information systems acquisition, development and maintenance.
  • Information security incident management.
  • Business continuity management.
  • Compliance.

It is suitable for several different types of organizational use, including the following :

  • Formulation of security requirements and objectives.
  • To ensure that security risks are cost effectively managed.
  • To ensure compliance with laws and regulations.
  • As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met.
  • Identification and clarification of existing information security management processes.
  • To be used by management to determine the status of information security management activities.
  • To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization.
  • To provide relevant information about information security policies,directives, standards and procedures to trading partners.
  • To provide relevant information about information security to customers.