This document serves the purpose of critically comparing the ISF Standards of Good Practise and the ISO 17799. This paper will include, amongst other issues areas of correspondence, areas of difference, usability and readability
With constant reports in the media of hacked sites, denial of service attacks, computer espionage and newly discovered vulnerabilities in applications and hardware, it is impossible for the management of any organization to ignore the likelihood of a security incident occurring. Over the last few years concerns to protect the organization’s assets and minimize liability has grown substantially, of recent it has become management’s personal responsibility to implement effective information security controls.
The majority of organizations will typically have some security controls in place, often a mix of technology (e.g. firewalls and anti-virus software) and documented policies (e.g. Password Policy, Email and Internet Usage Policy). The real challenge is developing these into an integrated Information Security Management System that will support the organization’s key business processes and strategic objectives as well as protect the electronic assets of the company and mitigate any risks that will result in an unfavorable situation for the company.
Why use a standard one may ask but there are few organizations nowadays who do not have links from their internal systems to the Internet, and who cannot identify outsiders, such as competitors or criminals, who may wish to exploit the information on their systems to their advantage. Thus without a standard approach to an area as diverse and as vital as information security it is unlikely that the organization will consider all aspects of security and not be at risk from a security incident that may seriously damage their business. That is where use of standards is crucial, they will provide guidelines on dealing with the diverse aspect of information security and consider all aspects of information security.
Adoption of these standards is currently seen as the best way for an organization to address information security in a systematic and comprehensive way by using industry best practice standards as a baseline. It is worth noting the use of the standards as a baseline, simply because the standards are merely guidelines and will not protect you from all security risks, but will reduce the probability of known risks from occurring.
There are two leading international best practices for Information security governance, The ISF standard of good practice and ISO 17799. This paper will outline what these standards are and through explanation of these standards, show with clear visibility some of the similarities, discrepancies and shortfalls and advantages of following these international Guidelines, and also will determine its ability to be complimentary to other best practices such as Cobit, or Itil. ISO 17799
ISO 17799 is a ‘Code of Practice for Information Security Management’, which is an International Standard providing best practice guidance on security controls that should be considered for implementation within an organization. This is the ‘Code of Practice’ for information security management, which details the recommended security measures and practices that support the controls in ISO 27001.
As it is a ‘Code of Practice’, organizations cannot be certified against ISO 17799. Certification is only possible against ISO 27001, with ISO 17799 used as the basis for the selection of the most suitable security measures for each control. ISO 17799 is not a detailed specification of requirements and makes this clear in the preface, stating, ‘The guidance and recommendations provided throughout this Standard should not be quoted as if they were specifications.’ Often more detailed technical standards and guidance are necessary to support the...