| ISO
Code of Practice for Information Security Management (ISO 17799,
27002)
The ISO 27002 (formerly 17799) security standards represent
one approach to security policy construction.
For a contrasting approach, see the HIPAA Security Rule structure
of administrative,
physical and
technical safeguards.
Or the Payment Card Industry Data Security Standard (PCI-DSS).
The ISO standard is composed of 12 securiuty "clauses."
Within those 12 clauses are 39 main security categories. Within
each category there may be several components.
For each component there is a control objective, stating
what is to be achieved, and one or more controls that can
be applied to achieve that objective.
The 12 clauses are:
- Risk assessment
and treatment
-- Assessing security risks
- Security risk assessment
-- Treating security risks
- Security risk treatment
- Security policy
-- Information security policy
- Information security policy document
- Review of information security policies
-- Other security policy
- Coordination with other security policies
- Organization of information
security
-- Internal organization
- Management commitment to information
security
- Information security coordination
- Allocation of information security
responsibilities
- Authorization process for information
processing facilities
- Confidentiality agreements
- Contact with authorities
- Contact with special interest groups
- Independent review of information security
-- External parties
- Identification of risks related to
external parties
- Addressing security when dealing with
customers
- Addressing security in third party
agreements
- Asset management
-- Responsibility for assets
- Inventory of assets
- Ownership of assets
- Acceptable use of assets
-- Information classification
- Classification guidelines
- Information labelling and handling
- Human resources security
-- Prior to employment
- Roles and responsibilities
- Screening
- Terms and conditions of employment
-- During employment
- Management responsibilities
- Information security awareness, education
and training
- Disciplinary process
-- Termination or change of employment
- Termination responsitibilities
- Return of assets
- Removal of access rights
- Physical and environmental
security
-- Secure areas
- Physical security perimeter
- Physical entry controls
- Secure offices, rooms and facilities
- Protecting against external and environmental
threats
- Working in secure areas
- Public access, delivery and loading
access
-- Equipment security
- Equipment siting and protection
- Supporting utilities
- Cabling security
- Equipment maintenance
- Security of equipment off-premises
- Secure disposal or re-use of equipment
- Removal of property
- Communications and
operations management
-- Operational procedures and responsibilities
- Documented operating procedures
- Change management
- Segregation of duties
- Separation of development, test and
operational facilities
-- Third-party service delivery management
- Service delivery
- Monitoring and review of third-party
services
- Managing changes to third-party services
-- System planning and acceptance
- Capacity management
- System acceptance
-- Protection against malicious and mobile code
- Controls against malicious code
- Controls against mobile code
-- Back-up
- Information back-up
-- Network security management
- Network controls
- Security of network services
-- Media handling
- Management of removable media
- Disposal of media
- Information handling procedures
- Security of system documentation
-- Exchange of information
- Information exchange policies and procedures
- Exchange agreements
- Physical media in transit
- Electronic messaging
- Business information systems
-- Electronic commerce services
- Electronic commerce
- On-line transactions
- Publicly available information
-- Monitoring
- Audit logging
- Monitoring system use
- Protection of log information
- Administrator and operator logs
- Fault logging
- Clock synchronization
- Access control
-- Business requirements for access control
- Access control policy
-- User access management
- User registration
- Privilege management
- User password management
- User access token management
- Review of user access rights
-- User responsibilities
- Password use
- Access token use
- Monitoring of activity history
- Unattended user equipment
- "Clear desk - clear screen" policy
- "Clear equipment" policy
-- Network access control
- Policy on use of network services
- User authentication for external
connection
- Equipment/location identification in
networks
- Remote diagnostic and configuration
port protection
- Segregation in networks
- Network connection control
- Network routing control
-- Operating system access control
- Secure log-on procedures
- User identification and authentication
- Password management system
- Acess token management system
- Use of system utilities
- Session time-out
- Limitation of connection time
-- Application and information access control
- Information access restriction
- Sensitive system isolation
-- Mobile computing and teleworking
- Mobile computing and communications
- Teleworking
- Information systems
acquisition, development and maintenance
-- Security requirements of information systems
- Security requirements analysis and
specification
-- Correct processing in applications
- Input data validation
- Control of internal processing
- Message integrity
- Output data validation
-- Cryptographic controls
- Policy on the use of cryptographic
controls
- Key management
-- Security of system files
- Control of operational software
- Protection of system test data
- Access control for program source
control
-- Security development and support processes
- Change control procedures
- Technical review of applications after
operating system changes
- Restrictions on changes to software
packages
- Information leakage
- Outsourced software development
-- Technical vulnerability management
- Control of technical vulnerabilities
- Information
security incident management
-- Reporting information security events and weaknesses
- Reporting information security events
- Reporting security weakesses
-- Management of information security incidents and
improvements
- Responsibilities and procedures
- Learning from information security
incidents
- Investigation of incidents
- Collection of evidence
- Business continuity
management
-- Information security aspects of business continuity management
- Including info security in the business
continuity mgmt process
- Business continuity and risk assessment
- Developing and implementing continuity
plans including info security
- Business continuity planning framework
- Testing, maintaining and re-assessing
business continuity plans
- Compliance
-- Compliance with legal requirements
- Identification of applicable statutes,
regs, certification standards
- Protection of confidentiality of personal
information
- Protection of intellectual property
rights
- Protection of organizational records
- Prevention of misuse of information
and info processing facilities
- Regulation of cryptographic controls
and other technologies
-- Compliance with organizational security policies, tech
standards
- Periodic review of security processes
- Periodic checks of technical compliance
-- Information systems audit considerations
- Information systems audit controls
- Protection of information system audit
tools
Last modified:
24-Jul-2006
[RC]
|
