Iso Security

IsoOrganization has involvements in SecurityManagement.

Relevant specifications include ISO17799 [and Part 2: auditing guidelines in BS7799-2 (2002 revision) - not yet adopted?].

• According to LucentTechnologies, ISO 17799 is a direct descendant of the British Standard Institute (BSI) Information Security Management standard BS7799. ref
  • http://www.lucent.com/livelink/090094038006a83b_White_paper.pdf
• FAQ from NIST
  • http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq-110502.pdf
• See more information
  • http://www.iso17799software.com/presentation/ .

There's an ISO 17799 specific wiki site

• http://iso-17799.safemode.org

ISO17799 is essentially identical to BS7799 part 1. It's mostly a collection of good advice. BS7799 Part 2 is a mandated approach to information security management. While it is a reasonable approach (in my opinion) it's not the only approach, and this restriction to a single approach was one of the reasons that the US (and possibly others) objected to its adoption as a ISO standard

Only Part 2 can be audited against, so if you see someone claiming compliance to ISO17799, make sure you understand exactly what they mean by that...

---

Another ISO security standard is ISO 13335 (GMITS or "Guidelines for the Management of IT security")

• A 5 part document. Part 1 concepts and model, part 2 on management and planning, part 3 on techniques related to policy/controls/safeguards, part 4 on list of safeguards, part 5 on network security aspects.
• From http://www.auckland.ac.nz/security/AusCERT2004Report.htm#ISO%2013335,%20the%20new%20standard%20for%20IT%20security%20Jodie%20Siganto

---

''ANSI has also being doing security analysis together with ISO. See a 2004 example

• http://public.ansi.org/ansionline/Documents/Meetings%20and%20Events/2004%20Annual%20Conference/Presentations/Panel%20V/Deane%20-%20Panel%20V.pdf''

---

CategorySecurity