Information security management best practice based on ISO/IEC 17799; the international information security standard provides a framework for ensuring business continuity, maintaining legal compliance, and achieving a competitive edge.

• Author: Saint-Germain, Rene
• Position: Setting Standard

Security matters have become an integral part of daily life, and organizations need to ensure that they are adequately secured. While legislatures enact corporate governance laws, more and more businesses are seeking assurance that their vendors and partners are properly protecting information assets from security risks and are taking necessary measures to ensure business continuity. Security management certification provides just such a guarantee, thereby increasing client and partner confidence.

A number of best practice frameworks exist to help organizations assess their security risks, implement appropriate security controls, and comply with governance requirements as well as privacy and information security regulations. Of the various best practice frameworks available, the most comprehensive approach is based on the implementation of the international information security management standard, ISO/IEC 17799, and subsequent certification against the British standard for information security, BS 7799. This ISO 17799/BS 7799 frame work is the only one that allows organizations to undergo a third-party audit.

Organizations today must deal with a multitude of information security risks. Terrorist attacks, fires, floods, earthquakes, and other disasters can destroy information processing facilities and critical documents. Theft of trade secrets and the loss of information due to unexpected computer shutdowns can cause businesses to lose their commercial advantage. The CGI/FBI Computer Crime and Security Survey states that total losses in the United States in 2004 as a result of computer security breaches reached $141,496,560. Organizations often tackle security issues as part of their efforts to comply with a variety of regulatory requirements, such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). It is becoming increasingly clear, however, that to address all aspects of security, organizations need to implement a more comprehensive approach using a methodical compliance framework.

Compliance is not always straightforward. As META Group notes in its white paper, "Unraveling Security and Risk Regulation," legislation governing regulatory requirements often lacks the specificity organizations need to know how to comply. According to META Group, companies and institutions affected by such legislation must decide for themselves which security controls are appropriate for their organizations.

An increasing number of businesses, moreover, are seeking to obtain security certification from third-party organizations, given that certification guarantees that the controls implemented meet information security requirements. Certification enables organizations to comply with increasing demands from financial institutions and insurance companies for security audits. In addition, it builds trust in an organization's capacity to implement appropriate security controls to manage and protect confidential client and business information.

Some best practices that facilitate the implementation of security controls include Control Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799, Information Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE). Focus on the ISO/IEC 17799 standard is warranted, given that it provides the most comprehensive approach to information security management. The other best practices focus more on IT governance, in general, or on the technical aspects of information security. (See Table 3.) Moreover, ISO 17799/BS 7799 is the only best practice framework that allows organizations to undergo a third-party audit and become certified. Implement-ing an overarching compliance framework using ISO/IEC 17799 and BS 7799 requires a methodical information security management system that facilitates the planning, implementation, and documentation of security controls and ensures a constant process review.

ISO/IEC 17799: An Information Security Management Standard

ISO/IEC 17799:2000 Information Technology--Code of Practice for Information Security Management defines information security as the preservation of information confidentiality, integrity, and availability. The goals of information security are to ensure business continuity, to maintain legal compliance, and to achieve competitive edge. For example, organizations with a committed client base and an established partner network need to demonstrate to their partners, shareholders, and clients that they have identified and measured their security risks and implemented a security policy and controls that will mitigate these risks. Such controls might include, for example, the use of digital certificates for electronic transactions, the drafting and testing of business continuity plans, the use of secure backup media and the implementation of appropriate access controls.

In drafting a security policy and implementing appropriate security controls, organizations comply with legal requirements and demonstrate their commitment to securing information assets and to protecting the confidentiality of personally identifiable customer information. They also provide their business partners and clients with greater confidence in their capacity to prevent and rapidly recover from any interruptions to production or...