Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Security Policy ISO 17799:2000

Posted on 2004-08-28
Medium Priority
Last Modified: 2010-04-11
I am working on trying to create some security policies and find references to ISO 17799:2000, but can't find the actual documents for review.  Is it only for sale?

Also, I see some tools listed as ISO17799 tools.  Anyone with experience on 17799 tools and their success or dislike of them?  Looking for more info and trying to avoid recreating wheel to create Security Policies.

Thanks for any input.

Question by:smeek
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +3
LVL 37

Expert Comment

ID: 11925671
ISO/IEC 17799 is a code of practice. as such, it offers guidelines and voluntary directions for information security management. it is meant to provide a high level, general description of the areas currently considered important when initiating, implementing or maintaining information security in an organization, not the actual detailed documents you are looking for.

i am not sure if you have been the following sites before:

How 7799 Works

ISO17799 Downloads

hope it helps,

Accepted Solution

Scorp888 earned 2000 total points
ID: 11927946
You have to buy, to get a legitimate copy of the ISO17799 Standards documents, or else you'll be downloading someone elses copy via file sharing.

ISO 17799 is more of a shopping list, to which you can then choose what is relevant to your company and then apply that.

Remember that it must be independantly auditted, so have a chat with your auditors, as they may have copies of the documentation that can be provided to you.

Most of the ISO17799 web sites will just try and sell you the document, and some very basic tools for applying it.

Speak to someone who's done it (I have) or speak to your auditors as a first port of call.

Author Comment

ID: 11928203

Yes, I visited those sites.


I guess I am trying to get a sense of the tools available and how helpful they might be.  I have read lots of docs including RFCs, samples and such, but 17799 keeps coming up as the most comprehensive.

What would be your starting suggestions?

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Expert Comment

ID: 11929044

Think for the moment in terms of security, as purely physical, and what we are securing as a 3 bedroom house, in a relatively safe neighbourhood.

Now the standard will cover.

Door security, fine, we've got doors, so in the requirements document, we put down the requirements that the standard makes for doors. We then look at what the business requires in the way of door security, and we have our requirements for the standard, and what must be done.

Now the standard will cover highly secure areas. Now we don't have those on the house, so we ignore it, and move onto windows, which we have and cover the same way as doors.

When the standard covers garages, we again move on, as the house we're looking at doesn't have a garage.

Now if you think of the same process, but covering.

Key Management.
Data Centres.
Host and Perimeter Based Access Controls.
Identity Management.

So, lets just take key management. If you're a fortune 500 telecoms company, then your key management, for things like the 2G and 3G keys for your networks, are likely to be very very secure, and you've probably got business requirements that far exceed the basic requiredments of the 17799 standard which say you must keep them secure, and have a procedure, for what to do if you think they've been compromised.

So, in summary, Iso 17799 normally drives a project.

This will takes the businesses needs and desires, maps them with the standards and then gives you a complete list of security requirements, which then must be addresssed, or progress made towards, to gain the standard at Audit.


Expert Comment

ID: 11950230
A good start might be the sample policies from SANS as they seem to cover many of the areas addressed by 17799.


Another good resource is the 7799 checklist which gives excellent coverage:


I also recommend you buy the document for the education and to ensure all bases are covered, but the above should be sufficient for policy development.


Expert Comment

ID: 11950279
Small point, the SANS documents are good, and definately the best I've seen Free.

However, they appear to be based on the *OLD* BS7799 standard, not the new ISO 17799 standard.

there are subtle differences.
LVL 23

Expert Comment

by:Tim Holman
ID: 11968293
What exactly do you need to do here ?
There aren't really that many organisations who can claim to have full BS7799/ISO17799  adherance - it is still pretty exclusive and remains in the echelons of larger corporations.


Expert Comment

ID: 11971346
Actually, there are quite a number of organisations that have, or are in the process of getting ISO17799.

However, you're right, that most of them are larger organisations.

Author Comment

ID: 11971838
I have looked at the SANS documents and there are great.  I am really looking for a structured approach to review the IT in a 100user company.  While I do not need to ceritfy ISO, my readings suggested that 17799 offered more completeness.  Several of the template documents I have read focus on a section of policy, like Cryptography or they cover several areas, but not in great depth.  I am really looking to find out two items.

1)  Has any personally used the 17799:2000 documents to develop an internal Security Policy and how was it.

2)  Has anyone personally used one of the "toolkits" available for purchase online.  Which toolkit and how helpful was it?

I understand that this is the undertaking of a project, but I want to first develop IT policies, then DR plan.  Also, if anyone has a good IT Policy or DR plan that they would like an opinion on, I would commit to reading a scrubbed version of theirs and offering input for the learning experience before starting mine.  I am doing that for one firm on their DR plan and already have some good suggestions for them, even though their plan is pretty nice.


Expert Comment

ID: 12009893
You might want to look at other frameworks as well.  I like COBIT (Control Objectives for Information and related Technology).   Its free to dload once you make a login,

downloads section

but this file you can get w/o a login, and it will give you the flavor of the objectives and controls:
IT Control Objectives for Sarbanes-Oxley (PDF, 431K) Apr 2004

Expert Comment

ID: 12022657
Smeek. I think you're missing the point of the 17799 toolkits and guides.

Once you have a security policy, you can use ISO17799 to test it, and audit it.

You can use 17799 to develop a policy, but I'd suggest you start with a basic policy, evaluate it against the ISO17799 standard, and see where the gaps are.

Bear in mind, that unless your security policy covers business practises, you will need other documentation.

Other things to look at are Sarbanes-Oxley Act, and the incoming  Companies (Audit, Investigations and Community Enterprise) Bill.

These cover the following types of areas

BPM (Business Process Management) - ensures that specific tasks are assigned to the appropriate people within the organisation in a fully auditable and transparent way. As BPM can automate tasks, it allows the organisation to have greater control over high-risk accounting.

As you can see, this one is outside the scope of an Internal Security Policy.

Disaster Recovery - essential for ensuring the safe retention of keys information.

Email management - taking control of emails out of the hands of employees is "essential for compliance".

Identity and Access Management - ensuring the correct level of security over key information and data.

Network Security - preventing unauthorised access to information and data.

Policy Management - ensuring that the right policies are in place to govern the type of data stored, how long it is stored for and how it is stored.

Records Management - the management of information from the moment it is stored through to its deletion.

Search, Discovery and Retrieval - allows key documents, emails and other records to be found at request.

However the last few, if relevant to your organisation, should get an honourable mention.

You don't mention who the audiance for your security policy is. Is it the board, to feed into an AUP, or for release to the users? or a mixture of the two?
LVL 37

Expert Comment

ID: 12023042
at the moment, i am listening to the presentation given by the majoar contributor of BS 7799, Ted Humphreys. the presentation title is "Information Security Management - ISMS standards, risk management, implementation, aduits and certifications". he is introducing ISO/IEC TR 18044 at the moment. any question to Ted? hehe ;)

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question