ISO 17799 provides best practice recommendations for initiating, implementing, or maintaining information security management systems. The standard contains 12 sections: risk assessment and treatment; security policy; organization of information security; asset management; access control; information security incident management; human resources security; physical and environmental security; communications and operations management; information systems acquisition, development and maintenance; business continuity management; and compliance. Within each section, information security control objectives are specified and a range of controls. For each control, implementation guidance is provided.
The second standard, ISO 27001, specifies requirements for establishing, implementing, maintaining, and improving an information security management system consistent with the best practices outlined in ISO 17799. ISO 27001 is the first standard in a proposed series of information security standards which will be assigned numbers within the ISO 27000 series. ISO 17799 is expected to be renamed ISO 27002 in 2007. ISO 27001 is the formal standard against which organizations may seek independent certification of their information security management systems. It contains a total of 133 controls in eleven sections.
Certification is entirely voluntary but is increasingly being demanded from suppliers and business partners who are concerned about information security.
The management processes implemented for ISO 27001 are based on the Deming cycle of continuous improvement: Plan-Do-Check-Act. Measuring effectiveness is a critical element of improving information security management, and hence realizing business benefit and flexibility in a changing environment.
http://www.bankinfosecurity.com/articles.php?art_id=165