Citation[]
ISO/IEC 17799:2005: "Information technology — Security techniques — Code of practice for information security management" (Summary).
Overview[]
This standard established guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
It is high level, broad in scope, conceptual in nature, and intended to provide a basis for an organization to develop its own organizational security standards and security management practices.
The standard states:
| “ | This code of practice may be regarded as a starting point in developing organization-specific guidance. Not all of the guidance and controls in the code of practice may be applicable. Furthermore, additional control not included in this document may be required. | ” |
ISO/IEC 17799 is a widely recognized, comprehensive information security standard. It is organized into ten major sections or topics. ISO/IEC 17799 offers guidelines and voluntary directions for information security management and is meant to provide a general description of the areas considered important when initiating, implementing, or maintaining information security in an organization. It addresses the topics in terms of policies and general good practices but does not provide definitive details or "how-tos."
This standard was revised by ISO/IEC 27002:2005.
Source[]
- A Comparison of Cross-Sector Cyber Security Standards, at 5.
- NIST, International Standard ISO/IEC 17799:2000, "Code of Practice for Information Security Management Frequently Asked Questions" (Nov. 2002) (full-text).