The revised standard recognizes that the level of security that can be achieved purely through technical means is limited. The required level of security—established through assessing the levels of risk and associated costs through breaches of security, against the costs of implementing security—should always be driven by appropriate management controls and procedures.
“Users of this standard can also demonstrate to business partners, customers and suppliers that they’re fit enough and secure enough to do business with, providing the chance for them to turn their investment in information security into business-enabling opportunities,” says Ted Humphreys, convener of the working group that developed the standard.
ISO/IEC 17799:2005 is a code of practice for information security management, but it’s not suitable for certification purposes.
For more information, visit www.iso.org.
Add new comment