{"id":1672,"date":"2006-10-02T00:00:00","date_gmt":"2006-10-02T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2006\/10\/02\/iso-17799-and-27001-setting-the-standards-for-information-security\/"},"modified":"2021-12-30T11:39:47","modified_gmt":"2021-12-30T11:39:47","slug":"iso-17799-and-27001-setting-the-standards-for-information-security","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2006\/10\/02\/iso-17799-and-27001-setting-the-standards-for-information-security\/","title":{"rendered":"ISO 17799 and 27001: Setting the Standards for Information Security"},"content":{"rendered":"<p>Financial institutions are subject to a slew of laws and regulations aimed at information security. There&#8217;s Gramm-Leach-Bliley (privacy), Federal Financial Institutions Examination Council (authentication and online banking), and Payment Card Industry (card security). There&#8217;s also California&#8217;s and other states&#8217; data breach disclosure laws, and the Sarbanes-Oxley Act.  They have little to say about what constitutes effective information security or how to achieve it. Fortunately, the International Standards Organization has developed two standards that do precisely that. The two standards, ISO 17799 and ISO 27001, together provide a set of best practices and a certification standard for information security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ISO 17799 provides best practice recommendations for initiating, implementing, or maintaining information security management systems.  The standard contains 12 sections: risk assessment and treatment; security policy; organization of information security; asset management; access control; information security incident management; human resources security; physical and environmental security; communications and operations management; information systems acquisition, development and maintenance; business continuity management; and compliance.   Within each section, information security control objectives are specified and a range of controls. For each control, implementation guidance is provided. <\/p>\n<p>The second standard, ISO 27001, specifies requirements for establishing, implementing, maintaining, and improving an information security management system consistent with the best practices outlined in ISO 17799. ISO 27001 is the first standard in a proposed series of information security standards which will be assigned numbers within the ISO 27000 series. ISO 17799 is expected to be renamed ISO 27002 in 2007.  ISO 27001 is the formal standard against which organizations may seek independent certification of their information security management systems. It contains a total of 133 controls in eleven sections. <\/p>\n<p>Certification is entirely voluntary but is increasingly being demanded from suppliers and business partners who are concerned about information security. <\/p>\n<p>The management processes implemented for ISO 27001 are based on the Deming cycle of continuous improvement: Plan-Do-Check-Act. Measuring effectiveness is a critical element of improving information security management, and hence realizing business benefit and flexibility in a changing environment.<\/p>\n<p>http:\/\/www.bankinfosecurity.com\/articles.php?art_id=165<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-1672","post","type-post","status-publish","format-standard","hentry","category-regulations"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1672","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1672"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1672\/revisions"}],"predecessor-version":[{"id":4159,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1672\/revisions\/4159"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}