Implementing the ISO/IEC 17799 standard in practice - experiences on audit phases
نویسنده
چکیده
This paper introduces implementation experiences on the ISO/IEC 17799 standard. The early implementation phase showed that there was resistance to change. The study revealed that lack of information was the root cause on that. Solution for this problem is proactive communications and use of internal advocates. All interviewees shared the same view that the ISO/IEC 17799 fits well with the existing organisation culture, and even changed it to a more security conscious one. The audit phase suggested that the audit mainly supported well organisations processes and the organisations got feedback beyond audit. After the implementation phase the workload was diminished and maintenance mode was mainly seen as reasonable.
منابع مشابه
ISO/IEC 17799 Standard’s Intended Usage and Actual Use by the Practitioners
The ISO/IEC 17799 standard (2005) is commonly viewed as a necessary element in information security management. However, there is no empirical evidence of the usefulness of the standard in practice. To study this issue, this study analyses the implementation experiences of four organisations that have implemented the ISO/IEC 17799 (2005) standard. Through semi-structured interviews, the results...
متن کاملThe Simple Information Security Audit Process: SISAP
The SISAP (Simple Information Security Audit Process) is a dynamic security audit methodology fully compliant with the ISO 17799 and BS 7799.2, and conformant with the ISO 14508 in terms of its functionality guidelines. The SISAP employs a simulation-based rule base generator that balances risks and business value generation capabilities using the Plan-Do-Check-Act cycle imposed in BS 7799.2. T...
متن کاملISO 17799: "Best Practices" in Information Security Management?
To protect the information assets of organizations, many different standards and guidelines have been proposed. Among them, International standard ISO 17799 is one of the most prominent international efforts on information security. This standard provides both an authoritative statement on information security and the procedures to be adopted by organizations to ensure information security. Sec...
متن کاملSarbanes-Oxley: Achieving Compliance by Starting with ISO 17799
Compliance with the Sarbanes–Oxley Act of 2002 (SOX) has been hampered by the lack of implementation details. This article argues that IT departments that have implemented ten categories of IT controls provided by the International Standards Organization (ISO 17799) will be well on their way toward SOX compliance. A side-by-side comparison of the 124 control components of the ISO Standard and t...
متن کاملInformation Security governance: COBIT or ISO 17799 or both?
This paper investigates the coexistence of and complementary use of COBIT and ISO 17799 as reference frameworks for Information Security governance. The investigation is based on a mapping between COBIT and ISO 17799 which became available in 2004, and provides a level of 'synchronization' between these two frameworks.
متن کامل