Navigating the Information Security Landscape: Mapping the Relationship Between ISO 15408: 1999 and ISO 17799: 2000

It is crucial for corporations operating in a multinational economy to have a seamless understanding of the security process. For information assurance, ISO 15408:1999 (i.e. Common Criteria) and ISO 17799:2000 are the key standards, both of which are needed for implementing a global approach to security. They provide a definition of the necessary elements of the process as well as the basis for authoritative certification. However, the standards are entirely different in focus. The former is product-oriented while the latter is strategic and organizational. That divergence is an obstacle to creating secure enterprises and it causes disagreement about the meaning and value of the certifications. Mapping the relationship between ISO 15408 and ISO 17799 demonstrates their strengths and weaknesses and encourages organizations to use these standards effectively. The results of our study indicate that while there are overlaps between these two standards, there are also significant gaps.