• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 514
  • Last Modified:

Security Policy ISO 17799:2000

I am working on trying to create some security policies and find references to ISO 17799:2000, but can't find the actual documents for review.  Is it only for sale?

Also, I see some tools listed as ISO17799 tools.  Anyone with experience on 17799 tools and their success or dislike of them?  Looking for more info and trying to avoid recreating wheel to create Security Policies.

Thanks for any input.

  • 5
  • 2
  • 2
  • +3
1 Solution
bbaoIT ConsultantCommented:
ISO/IEC 17799 is a code of practice. as such, it offers guidelines and voluntary directions for information security management. it is meant to provide a high level, general description of the areas currently considered important when initiating, implementing or maintaining information security in an organization, not the actual detailed documents you are looking for.

i am not sure if you have been the following sites before:

How 7799 Works

ISO17799 Downloads

hope it helps,
You have to buy, to get a legitimate copy of the ISO17799 Standards documents, or else you'll be downloading someone elses copy via file sharing.

ISO 17799 is more of a shopping list, to which you can then choose what is relevant to your company and then apply that.

Remember that it must be independantly auditted, so have a chat with your auditors, as they may have copies of the documentation that can be provided to you.

Most of the ISO17799 web sites will just try and sell you the document, and some very basic tools for applying it.

Speak to someone who's done it (I have) or speak to your auditors as a first port of call.
smeekAuthor Commented:

Yes, I visited those sites.


I guess I am trying to get a sense of the tools available and how helpful they might be.  I have read lots of docs including RFCs, samples and such, but 17799 keeps coming up as the most comprehensive.

What would be your starting suggestions?

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!


Think for the moment in terms of security, as purely physical, and what we are securing as a 3 bedroom house, in a relatively safe neighbourhood.

Now the standard will cover.

Door security, fine, we've got doors, so in the requirements document, we put down the requirements that the standard makes for doors. We then look at what the business requires in the way of door security, and we have our requirements for the standard, and what must be done.

Now the standard will cover highly secure areas. Now we don't have those on the house, so we ignore it, and move onto windows, which we have and cover the same way as doors.

When the standard covers garages, we again move on, as the house we're looking at doesn't have a garage.

Now if you think of the same process, but covering.

Key Management.
Data Centres.
Host and Perimeter Based Access Controls.
Identity Management.

So, lets just take key management. If you're a fortune 500 telecoms company, then your key management, for things like the 2G and 3G keys for your networks, are likely to be very very secure, and you've probably got business requirements that far exceed the basic requiredments of the 17799 standard which say you must keep them secure, and have a procedure, for what to do if you think they've been compromised.

So, in summary, Iso 17799 normally drives a project.

This will takes the businesses needs and desires, maps them with the standards and then gives you a complete list of security requirements, which then must be addresssed, or progress made towards, to gain the standard at Audit.

A good start might be the sample policies from SANS as they seem to cover many of the areas addressed by 17799.


Another good resource is the 7799 checklist which gives excellent coverage:


I also recommend you buy the document for the education and to ensure all bases are covered, but the above should be sufficient for policy development.

Small point, the SANS documents are good, and definately the best I've seen Free.

However, they appear to be based on the *OLD* BS7799 standard, not the new ISO 17799 standard.

there are subtle differences.
Tim HolmanCommented:
What exactly do you need to do here ?
There aren't really that many organisations who can claim to have full BS7799/ISO17799  adherance - it is still pretty exclusive and remains in the echelons of larger corporations.

Actually, there are quite a number of organisations that have, or are in the process of getting ISO17799.

However, you're right, that most of them are larger organisations.
smeekAuthor Commented:
I have looked at the SANS documents and there are great.  I am really looking for a structured approach to review the IT in a 100user company.  While I do not need to ceritfy ISO, my readings suggested that 17799 offered more completeness.  Several of the template documents I have read focus on a section of policy, like Cryptography or they cover several areas, but not in great depth.  I am really looking to find out two items.

1)  Has any personally used the 17799:2000 documents to develop an internal Security Policy and how was it.

2)  Has anyone personally used one of the "toolkits" available for purchase online.  Which toolkit and how helpful was it?

I understand that this is the undertaking of a project, but I want to first develop IT policies, then DR plan.  Also, if anyone has a good IT Policy or DR plan that they would like an opinion on, I would commit to reading a scrubbed version of theirs and offering input for the learning experience before starting mine.  I am doing that for one firm on their DR plan and already have some good suggestions for them, even though their plan is pretty nice.

You might want to look at other frameworks as well.  I like COBIT (Control Objectives for Information and related Technology).   Its free to dload once you make a login,

downloads section

but this file you can get w/o a login, and it will give you the flavor of the objectives and controls:
IT Control Objectives for Sarbanes-Oxley (PDF, 431K) Apr 2004
Smeek. I think you're missing the point of the 17799 toolkits and guides.

Once you have a security policy, you can use ISO17799 to test it, and audit it.

You can use 17799 to develop a policy, but I'd suggest you start with a basic policy, evaluate it against the ISO17799 standard, and see where the gaps are.

Bear in mind, that unless your security policy covers business practises, you will need other documentation.

Other things to look at are Sarbanes-Oxley Act, and the incoming  Companies (Audit, Investigations and Community Enterprise) Bill.

These cover the following types of areas

BPM (Business Process Management) - ensures that specific tasks are assigned to the appropriate people within the organisation in a fully auditable and transparent way. As BPM can automate tasks, it allows the organisation to have greater control over high-risk accounting.

As you can see, this one is outside the scope of an Internal Security Policy.

Disaster Recovery - essential for ensuring the safe retention of keys information.

Email management - taking control of emails out of the hands of employees is "essential for compliance".

Identity and Access Management - ensuring the correct level of security over key information and data.

Network Security - preventing unauthorised access to information and data.

Policy Management - ensuring that the right policies are in place to govern the type of data stored, how long it is stored for and how it is stored.

Records Management - the management of information from the moment it is stored through to its deletion.

Search, Discovery and Retrieval - allows key documents, emails and other records to be found at request.

However the last few, if relevant to your organisation, should get an honourable mention.

You don't mention who the audiance for your security policy is. Is it the board, to feed into an AUP, or for release to the users? or a mixture of the two?
bbaoIT ConsultantCommented:
at the moment, i am listening to the presentation given by the majoar contributor of BS 7799, Ted Humphreys. the presentation title is "Information Security Management - ISMS standards, risk management, implementation, aduits and certifications". he is introducing ISO/IEC TR 18044 at the moment. any question to Ted? hehe ;)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 5
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now