Directory of services/software for ISO 17799 audit  
ISO 17799 compliance, ISO17799 implementation and security risk analysis  
A launch pad for iso17799 security needs  

 ISO 17799 Software Directory: Software for ISO 17799 Compliance, ISO 17799 Audit & ISO17799 Implementation Contact Us Front Page

Part 1: Building the Base Blocks

Time, Money and Dreams have surrounded the development and implementation of the finest marvels of human intelligence. Seamless integration of Software and Hardware components has created online modules, which are focused on driving businesses to heights, which transcend physical boundaries and conventional business possibilities.

While aiming to acquire global wealth and global markets, business drivers have suddenly realized the need for an ‘omnipresent’ Security Guard to protect IT assets from external attack and internal abuse. Business could now open a thousand doors inviting clients, employees and potential hackers to either place orders online or complete a business process or easily steal whatever one has built for many years.

The need to allow only the "Right Guy" in has become one of the most underlying factor for business success and justification to the investments made in IT. IT Managers started buying firewalls, Intrusion Detection Systems and invested again in building the "over-night" security infrastructure for the IT assets of the company.

In 1993, many global companies realized that security is not a fix-now-and-relax mechanism but a culture, which has to be built, nurtured, enhanced, standardized and reviewed. Experts on Security came together to create an industry-working group, which would help create a standard for information security.

The world now started working on a Standard for Information Security Management.

Thirteen global Companies which includes Financial Service companies, Communications, huge retail giants and companies which have an international consumer base got together to create BS 7799 (ISO 17799) Part One – Code of Practice for Information Management which was published in 1995. BS 7799 (ISO 17799) Part Two - Specifications for Information Security Management System was then published in 1998. In 1999 BS 7799 Part One and Two were republished.

In December 2000 BS 7799 Part one was adopted as ISO 17799:2000. Part Two is now being reviewed and will soon become an ISO Standard.


The Need for the Standard:

The need for a standard on Information Security came up primarily because the market was crowded with security vendors and independent security consultants flushing their own approved methodology for Information Security Management. Many companies had burnt fingers in hiring such services, which ultimately did not find meaning in terms of sustainability and usability.

Moreover, there was an urgent need to identify the collective experience of IT Managers in various companies in the world. This would help generate a mature and realistic approach to the present and future security issues that come up in the day-to-day management of IT departments.

Companies needed a model to follow as the era of Information Security Management was just begun.

BS 7799 (ISO 17799) - Key Components of the Standard

The Standard is divided in two parts:

BS 7799 Part 1 (ISO 17799.2000 Standard) Code of Practice for Information Security Management

BS 7799 Part II Specifies requirements for establishing, implementing and documenting Information Security Management System (ISMS)

The standard has 10 Domains, which address key areas of Information Security Management.

  1. Information Security Policy for the organization.
  2. This activity involves a thorough understanding of the organization business goals and its dependence on information security. This entire exercise begins with creation of the IT Security Policy. This is an extremely important task and should convey total commitment of top management-. The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It should be implementable, easy to understand and must balance the level of protection with productivity. The policy should cover all the important areas like personnel, physical, procedural and technical.

  3. Creation of information security infrastructure
  4. A management framework needs to be established to initiate, implement and control information security within the organization. This needs proper procedures for approval of the information security policy, assigning of the security roles and coordination of security across the organization.

  5. Asset classification and control
  6. One of the most laborious but essential task is to manage inventory of all the IT assets, which could be information assets, software assets, physical assets or other similar services. These information assets need to be classified to indicate the degree of protection. The classification should result into appropriate information labeling to indicate whether it is sensitive or critical and what procedure, which is appropriate for copy, store, transmit or destruction of the information asset.

  7. Personnel Security
  8. Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities. Various proactive measures that should be taken are, to make personnel screening policies, confidentiality agreements, terms and conditions of employment, and information security education and training.

    Alert and well-trained employees who are aware of what to look for can prevent future security breaches.

  9. Physical and Environmental Security
  10. Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves physical security perimeter, physical entry control, creating secure offices, rooms, facilities, providing physical access controls, providing protection devices to minimize risks ranging from fire to electromagnetic radiation, providing adequate protection to power supplies and data cables are some of the activities. Cost effective design and constant monitoring are two key aspects to maintain adequate physical security control.

  11. Communications and Operations Management
  12. Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures.

    Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for remote equipment including equipment in user areas. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services.

    Exchange of information and software between external organizations should be controlled, and should be compliant with any relevant legislation. There should be proper information and software exchange agreements, the media in transit need to be secure and should not be vulnerable to unauthorized access, misuse or corruption.

    Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats.

  13. Access control
  14. Access to information and business processes should be controlled on the business and security requirements. This will include defining access control policy and rules, user access management, user registration, privilege management, user password use and management, review of user access rights, network access controls, enforcing path from user terminal to computer, user authentication, node authentication, segregation of networks, network connection control, network routing control, operating system access control, user identification and authentication, use of system utilities, application access control, monitoring system access and use and ensuring information security when using mobile computing and tele-working facilities.

  15. System development and maintenance
  16. Security should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage i.e. data input, data processing, data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signature, use of digital certificates, protection of cryptographic keys and standards to be used for cryptography.

    A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes, software packages should be strictly controlled. Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation.

  17. Business Continuity Management
  18. A business continuity management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes and depending on the risk assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances.

  19. Compliance
  20. It is essential that strict adherence is observed to the provision of national and international IT laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls and collection of evidence.

Information Technology’s use in business has also resulted in enacting of laws that enforce responsibility of compliance. All legal requirements must be complied with to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.


BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:

Although Indian companies and the Government have invested in IT, facts of theft and attacks on Indian sites and companies are alarming. 261 Indian Government sites were hacked in 2001* * Attacks and theft that happen on corporate websites are high and is usually kept under "strict" secrecy to avoid embarrassment from business partners, investors, media and customers.

Huge losses are some times un-audited and the only solution is to involve a model where one can see a long run business led approach to Information Security Management.

BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed above) which Indian companies can adopt to build their Security Infrastructure. Even if a company decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security through ongoing, integrated management of policies and procedures, personnel training, selecting and implementing effective controls, reviewing their effectiveness and improvement. Additional benefits of an ISMS are improved customer confidence, a competitive edge, better personnel motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.

For comments and questions on this paper please write to: