INTERNATIONALSTANDARDISO/IEC17799Second edition2005-06-15Information technology — Securitytechniques — Code of practice forinformation security managementThis is a free 10 page sample. Access the full version online.Technologies de l'information — Techniques de sécurité — Code depratique pour la gestion de sécurité d'informationReference numberISO/IEC 17799:2005(E) ISO/IEC 2005

ISO/IEC 17799:2005(E)PDF disclaimerThis PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed butshall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. Indownloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariataccepts no liability in this area.Adobe is a trademark of Adobe Systems Incorporated.This is a free 10 page sample. Access the full version online.Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creationparameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. Inthe unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2005All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below orISO's member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. 41 22 749 01 11Fax 41 22 749 09 47E-mail [email protected] www.iso.orgPublished in Switzerlandii ISO/IEC 2005 – All rights reserved

ISO/IEC17799:2005(E)ContentsPageFOREWORD. VII0 INTRODUCTION . VIII0. IS INFORMATION SECURITY?.VIIIWHY INFORMATION SECURITY IS NEEDED? .VIIIHOW TO ESTABLISH SECURITY REQUIREMENTS .IXASSESSING SECURITY RISKS . IXSELECTING CONTROLS. IXINFORMATION SECURITY STARTING POINT. IXCRITICAL SUCCESS FACTORS . XDEVELOPING YOUR OWN GUIDELINES . XI1 SCOPE . 12 TERMS AND DEFINITIONS . 13 STRUCTURE OF THIS STANDARD. 43.13.2CLAUSES . 4MAIN SECURITY CATEGORIES . 44 RISK ASSESSMENT AND TREATMENT . 54.14.2ASSESSING SECURITY RISKS . 5TREATING SECURITY RISKS. 55 SECURITY POLICY . 75.1INFORMATION SECURITY POLICY . 75.1.1Information security policy document . 75.1.2Review of the information security policy. 8This is a free 10 page sample. Access the full version online.6 ORGANIZATION OF INFORMATION SECURITY. 96.1INTERNAL ORGANIZATION . 96.1.1Management commitment to information security. 96.1.2Information security co-ordination. 106.1.3Allocation of information security responsibilities. 106.1.4Authorization process for information processing facilities. 116.1.5Confidentiality agreements . 116.1.6Contact with authorities . 126.1.7Contact with special interest groups . 126.1.8Independent review of information security . 136.2EXTERNAL PARTIES . 146.2.1Identification of risks related to external parties. 146.2.2Addressing security when dealing with customers . 156.2.3Addressing security in third party agreements . 167 ASSET MANAGEMENT. 197.1RESPONSIBILITY FOR ASSETS . 197.1.1Inventory of assets . 197.1.2Ownership of assets . 207.1.3Acceptable use of assets. 207.2INFORMATION CLASSIFICATION . 217.2.1Classification guidelines. 217.2.2Information labeling and handling . 218 HUMAN RESOURCES SECURITY . 238.1PRIOR TO EMPLOYMENT . 238.1.1Roles and responsibilities . 23 ISO/IEC 2005 – All rights reservediii

ISO/IEC 17799:2005(E)8.1.2Screening . 238.1.3Terms and conditions of employment . 248.2DURING EMPLOYMENT . 258.2.1Management responsibilities . 258.2.2Information security awareness, education, and training . 268.2.3Disciplinary process . 268.3TERMINATION OR CHANGE OF EMPLOYMENT. 278.3.1Termination responsibilities . 278.3.2Return of assets. 278.3.3Removal of access rights . 289 PHYSICAL AND ENVIRONMENTAL SECURITY . 299.1SECURE AREAS . 299.1.1Physical security perimeter . 299.1.2Physical entry controls . 309.1.3Securing offices, rooms, and facilities . 309.1.4Protecting against external and environmental threats. 319.1.5Working in secure areas . 319.1.6Public access, delivery, and loading areas. 329.2EQUIPMENT SECURITY . 329.2.1Equipment siting and protection. 329.2.2Supporting utilities . 339.2.3Cabling security. 349.2.4Equipment maintenance. 349.2.5Security of equipment off-premises. 359.2.6Secure disposal or re-use of equipment . 359.2.7Removal of property . 3610 COMMUNICATIONS AND OPERATIONS MANAGEMENT. 37This is a free 10 page sample. Access the full version online.10.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES . 3710.1.1 Documented operating procedures. 3710.1.2 Change management . 3710.1.3 Segregation of duties . 3810.1.4 Separation of development, test, and operational facilities . 3810.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT . 3910.2.1 Service delivery. 3910.2.2 Monitoring and review of third party services. 4010.2.3 Managing changes to third party services. 4010.3 SYSTEM PLANNING AND ACCEPTANCE . 4110.3.1 Capacity management .