ISO IEC 17799 2000
TRANSLATED INTO PLAIN ENGLISH
 PART 4. ORGANIZATIONAL SECURITY

 

ISO 17799 2000 is now OBSOLETE.
Please see ISO 27002 2005 (17799 2005)!

We’ve used a task oriented approach to translate the ISO 17799
information security practices into plain English. This means that our
plain English standard consists entirely of tasks. So if you want to
implement the ISO 17799 standard, all you have to do is carry out the
tasks that we have listed. However, you don’t have to perform every
task. These are recommended tasks, not compulsory tasks.

In order to give you the freedom to choose whether or not you wish
to carry out a recommended task, we offer three response options
for each task: DO, DONE, or N/A. If you haven’t done the task and you
feel it needs to be done, select DO. Select DO if the task addresses
one of your information security risks or needs. If you’ve already done
the task, select DONE. If the task is not applicable in your situation or
does not address your information security risks and needs, then
answer N/A (not applicable).

THE FOLLOWING MATERIAL IS NOW OBSOLETE

ISO IEC 17799 2000
INFORMATION SECURITY STANDARD

4. ORGANIZATIONAL SECURITY

4.1 ESTABLISH A SECURITY INFRASTRUCTURE

COMMENTS

1

Establish a management framework to control how
your organization implements information security.

DO

DONE

N/A

2

Establish a management forum to review
and approve your information security policy.

DO

DONE

N/A

3

Establish a management forum to co-ordinate and
control the implementation of your organization’s
information security program.

DO

DONE

N/A

4

Establish a management forum to assign
information security roles and responsibilities.

DO

DONE

N/A

5

Make sure that you have access to information
security experts and advisors within your own
organization.

DO

DONE

N/A

6

Make sure that your internal experts are able to
provide specialized information security advice.

DO

DONE

N/A

7

Make sure that you have access to external
information security experts and advisors.

DO

DONE

N/A

8

Make sure that your external advisors help
you to monitor changes in information security
standards and methods.

DO

DONE

N/A

9

Make sure that your external information
security experts and advisors help you to
deal with security incidents.

DO

DONE

N/A

10

Make sure that your organization encourages
the use of a multi-disciplinary approach to
information security.

DO

DONE

N/A

4.1.1 SET UP AN INFORMATION SECURITY FORUM

COMMENTS

11

Assign the responsibility for information security
to a single manager within your organization.

DO

DONE

N/A

12

Establish a management forum that you can
use to support information security initiatives.

DO

DONE

N/A

13

Make sure that your security management forum
promotes the importance of information security.

DO

DONE

N/A

14

Make sure that your security management
forum ensures that adequate resources
are provided to support security.

DO

DONE

N/A

15

Make sure that your security management
forum reviews and approves your information
security policy.

DO

DONE

N/A

16

Make sure that your security management
forum reviews and approves information
security responsibilities.

DO

DONE

N/A

17

Make sure that your security management forum
monitors major security threat changes and trends.

DO

DONE

N/A

18

Make sure that your security management forum
monitors how exposed your information assets are.

DO

DONE

N/A

19

Make sure that your security management forum
monitors and reviews information security incidents.

DO

DONE

N/A

20

Make sure that your security management
forum reviews and approves improvements
in information security.

DO

DONE

N/A

4.1.2 CO-ORDINATE SECURITY IMPLEMENTION

COMMENTS

21

Establish a management forum that you can use to
co ordinate the implementation of security controls.

DO

DONE

N/A

22

Make sure that management forum members
represent all relevant areas of your organization.

DO

DONE

N/A

23

Make sure that your security management forum
distributes information security roles and
responsibilities throughout your organization.

DO

DONE

N/A

24

Make sure that your security management
forum reviews and approves information
security methods and techniques.

DO

DONE

N/A

25

Make sure that your security management
forum approves and supports information
security initiatives.

DO

DONE

N/A

26

Make sure that your security management
forum ensures that security is considered
during the information planning process.

DO

DONE

N/A

27

Make sure that your security management
forum evaluates the adequacy of security
controls that will be used to protect new
information systems or services.

DO

DONE

N/A

28

Make sure that your security management
forum co-ordinates the implementation of
security controls that will be used to protect
new information systems and services.

DO

DONE

N/A

29

Make sure that your security management
forum reviews and evaluates information
security incidents.

DO

DONE

N/A

30

Make sure that your management forum
promotes the importance of information
security throughout your organization.

DO

DONE

N/A

4.1.3 ALLOCATE SECURITY RESPONSIBILITIES

COMMENTS

31

Define the responsibilities that control how individual
information assets should be protected.

DO

DONE

N/A

32

Define the responsibilities that control
how information security processes
should be carried out.

DO

DONE

N/A

33

Make sure that your information security
policy describes how general security roles
and responsibilities are distributed throughout
your organization.

DO

DONE

N/A

34

Define how specific information security
roles and responsibilities are distributed
amongst various sites.

DO

DONE

N/A

35

Define how specific information security roles and
responsibilities are distributed amongst systems.

DO

DONE

N/A

36

Define how specific information security roles and
responsibilities are distributed amongst services.

DO

DONE

N/A

37

Define how the responsibility for individual
physical assets are allocated at the local level.

DO

DONE

N/A

38

Define how the responsibility for individual
information assets are allocated at the local level.

DO

DONE

N/A

39

Define how the responsibility for individual security
processes are allocated at the local level.

DO

DONE

N/A

40

Appoint an information security manager.

DO

DONE

N/A

41

Make sure that your information security manager
has been given the responsibility for developing
your security program.

DO

DONE

N/A

42

Make sure that your information security manager
has been given the responsibility for implementing
your security program.

DO

DONE

N/A

43

Make sure that your information security manager
has been given the responsibility for identifying
security controls.

DO

DONE

N/A

44

Appoint an owner for each information asset.

DO

DONE

N/A

45

Make sure that asset owners have been
given the responsibility for the security
of their information assets.

DO

DONE

N/A

46

Make sure that your asset owners delegate
specific security responsibilities to other
managers or service providers.

DO

DONE

N/A

47

Make sure that asset owners ensure that
delegated security responsibilities are
clearly and completed stated.

DO

DONE

N/A

48

Make sure that delegated responsibilities
for security assets and processes have
been clearly and completely defined.

DO

DONE

N/A

49

Make sure that you document all delegated
responsibilities for information security
assets and processes.

DO

DONE

N/A

50

Make sure that you define and document
all delegated authorization levels for security
assets and processes.

DO

DONE

N/A

51

Make sure that your asset owners ensure
that delegated security responsibilities
are properly carried out.

DO

DONE

N/A

4.1.4 SET UP AUTHORIZATION PROCESS FOR NEW FACILITIES

COMMENTS

52

Establish a management authorization process
to control new information processing facilities.

DO

DONE

N/A

53

Make sure that user managers approve of
the purpose and authorize the use of all
new information processing facilities.

DO

DONE

N/A

54

Make sure that your information security
maintenance manager authorizes new
information processing facilities.

DO

DONE

N/A

55

Make sure that your information security
maintenance manager ensures that your
new information processing facilities meet
all security requirements and policies.

DO

DONE

N/A

56

Check new hardware to ensure that it will be
compatible with existing system components.

DO

DONE

N/A

57

Check new software to ensure that it will be
compatible with existing system components.

DO

DONE

N/A

58

Control the business use of personal
information processing facilities.

DO

DONE

N/A

59

Evaluate personal information processing
facilities before they are used to process
business information.

DO

DONE

N/A

60

Authorize the use of personal processing
facilities before they are used to process
business information.

DO

DONE

N/A

4.1.5 IDENTIFY SPECIALIZED SECURITY ADVISORS

COMMENTS

61

Identify an in-house information security advisor.

DO

DONE

N/A

62

Make sure that your in house security advisor
accumulates and co ordinates your organization’s
information security knowledge and experience.

DO

DONE

N/A

63

Make sure that your in house information
security advisor helps your organization
to make information security decisions.

DO

DONE

N/A

64

Make sure that your in house information
security advisor has access to external
security experts and advisors.

DO

DONE

N/A

65

Make sure that your information security
advisors have been asked to provide advice
on all aspects of information security.

DO

DONE

N/A

66

Have information security advisors been
asked to assess the security problems that
threaten your organization.

DO

DONE

N/A

67

Make sure that your information security
advisors have been asked to assess your
organization’s information security controls.

DO

DONE

N/A

68

Make sure that information security advisors
have direct access to your organization’s
management personnel.

DO

DONE

N/A

69

Consult your security advisors whenever
you have a security incident or breach.

DO

DONE

N/A

70

Ask your information security advisors to
investigate security incidents or breaches.

DO

DONE

N/A

Etcetera ...

DO

DONE

N/A

Praxiom Research

OTHER ISO 27002 (17799) WEB PAGES

Introduction to ISO 27002 2005 (17799 2005) Information Security Standard

Overview of the ISO 27002 2005 (17799 2005) Information Security Standard

ISO 27002 2005 (17799 2005) Information Security Management Definitions

ISO 27002 2005 (17799 2005) Information Security Standard in Plain English

ISO 27002 2005 (17799 2005) Information Security Audit Tool
 

How to Order

Our Products

Our Prices

Our Guarantee

Home Page

Table of Contents

Our License

Our Customers

PRAXIOM RESEARCH GROUP LIMITED
Telephone: 780-461-4514 info@praxiom.com

First published on November 5, 2004. Updated on December 27, 2011.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
  developing this electronic publication. We make no representation or warranties
  with respect to accuracy or completeness of the contents of this publication and
  specifically disclaim any implied warranties or merchantability or fitness for any
  particular purpose and shall in no event be liable for any loss of profit or any
  other commercial damage, including but not limited to special, incidental,
  consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2004 - 2011 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research