Do you know what ISO 17799 is and how it works? Regardless of your answer, this article has been prepared to present your main points.
As a general rule, all types of standards aim to establish principles and criteria, define best practices and promote uniformity in processes, products, or services.
In other words, standards can be described as procedures that aim to guarantee the efficiency and quality of a given assignment, area, or activity.
To contextualize, the acronym “ISO” is nothing more than the representation of the International Organization for Standardization, an entity founded in 1947 in the city of Geneva, Switzerland.
Its performance is based on the association of standards and norms whose recognition comprises just over 200 countries – usually of technical and/or economic interest.
That said, let’s get to what really matters: ISO 17799. If you want to increase the reliability of your business in the market, keep reading this post!
What is ISO 17799?
Basically, ISO 17799 refers to a set of practices oriented towards information security management. Due to the increase in digital threats and the increasing exposure of data on the internet, its importance is increasing.
ISO 17799 is a standard that establishes a benchmark for companies to develop and evaluate IT management, promoting the reliability of business transactions and the protection of business information as a whole.
It is divided into 12 topics:
- Terms and definitions;
- Objective;
- Security policy;
- Physical and environmental security;
- Human resources security;
- Access control;
- Organizational security;
- Operations and communications management;
- Classification and control of information assets;
- Business continuity management;
- Development and maintenance of information systems;
- Conformity.
When it comes to information security, ISO 17799 defines these topics as the “macro-areas” of its management. The division is done so that the jobs are carried out as efficiently as possible.
What are your main points?
Considering what the ISO 17799 standard is, we will now highlight its main points. Clearly and objectively, they are:
Organize information security
In order to implement good information security, it is necessary to establish a structure to manage it.
In this sense, the activities that refer to it must be coordinated by the representatives of the different sectors of the organization, assigning relevant functions and roles — the responsibilities must be clearly defined.
When there is a need to protect confidential information, it is important to determine confidentiality agreements, clarifying which data is accessed, processed, communicated, and managed by external parties, such as customers and third parties.
Manage assets
According to ISO 17799, anything that has value to the company is an asset. Therefore, the management of these assets is one of its most important points, after all, this means protecting business information.
For assets to be properly protected, they must first be surveyed and identified. Once this is done, the next step is to classify them according to the recommended security level for each of them, documenting the rules and defining their types of use.
In this context, backups can be included, essential so that data can be restored in cases of loss and theft, for example. For anyone providing managed IT services, providing them is a must.
Manage operations and communications
Another aspect worth mentioning is the management of operations and communications. The procedures and responsibilities involved in processing the information must be very well defined, otherwise the chances of errors and “mismatches” will be considerably higher.
In addition, it is also recommended to use segregation of duties, that is, to prevent a single person from carrying out all parts of a process. It is recommended to make it responsible for a “part of the total”, and not “for everything”, as this helps to reduce the risk of misuse or misuse of the systems.
For the management of outsourced services, it is necessary to ensure that the implementation and maintenance of security levels are appropriate and in accordance with the obligations assumed by the contractors.
Here, it is essential to plan and prepare the resources and availability of the systems – only in this way can the risk of failures be truly reduced. This is because both planning and preparation will contribute to the prediction of your future capabilities.
Once again, the generation of backups (backups) must be established in order to ensure perhaps necessary data recovery. It is also necessary to have secure network management and additional controls that can protect the information that travels on public networks.
Acquire, develop and maintain information systems
According to the ISO 17799 standard, infrastructure, operating systems, business applications, products, and services developed by users are all components of information systems.
For this reason, your security requirements must be identified and agreed upon before implementation (acquisition) and/or development. Data must be protected with the maintenance, integrity, and authenticity of its reports in mind: this reliability must be applied through cryptographic means.
Control access
No less important is access control. Both information processing resources and business processes must be controlled based on security rules.
Therefore, the access of the authorized user must be guaranteed, and that of the unauthorized user prevented. The procedures range from the initial registration to the cancellation of registrations. As for the users themselves, each one must know what their responsibilities and permissions are with regard to the use and safety of equipment and systems.
To conclude, it is important to emphasize the importance of providing a safe and reliable environment. Keep in mind that this is the minimum that is expected of those who provide services in the area of information technology.
We hope you enjoyed this article about ISO 17799. If you want to stay on top of other issues related to the IT environment, subscribe to our newsletter right now!
