Comparison Between Old and Revised ISO 17799 Standard

Source:
ISO 17799 Community
Legends
Control Objectives in a clause
Revised Control Objectives
controls ( see comments)

and

ISO17799:2000
Clause

Sec

Security Policy

3.1
3.1.1
3.1.2

Information Security Policy

Information Security Policy Document
Review and Evaluation

4.1
4.1.1
4.1.2
4.1.3

Asset Classification and Control

Personnel Security

and

Sec

Control Objective/Control
Information Security Policy
Information Security Policy Document
Review of Information Security Policy

6.1
6.1.1
6.1.2
6.1.3

Internal Organization
Management Commitment to information security
Information security Co-ordiantion
Allocation of information security Responsibilities

6.1.4

Authorization process for Information Processing facilities

4.1.5
4.1.6
4.1.7
4.2
4.2.1
4.2.2
4.3
4.3.1

Information security Infrastructure

Management Information Security Forum
Information Security co-ordination
Allocation of Information security responsibilities
Authorization process for Information Processing
facilities
Specialist information security advice
Organization of Information security
Co-operation between organization
Independent review of Information Security
Security of Third Party Access
Identification of risk from third party access
Security Requirement in third party access
Outsourcing
Security Requirement in outsourcing contracts

6.1.5
6.1.6
6.1.7
6.1.8
6.2
6.2.1
6.2.2
6.2.3

Confidentiality agreements
Contact with authorities
Contact with special interest groups
Independent review of information security
External Parties
Identification of risk related to external parties
Addressing security when dealing with customers
Addressing security in third party agreements

5.1
5.1.1
5.2
5.2.1
5.2.2

Accountability For Assets

Inventory of Assets
Information Classification
Classification Guidelines
Information Labeling and Handling

7.1
7.1.1
7.1.2
7.1.3
7.2
7.2.1
7.2.2

Responsibility for Assets

Inventory of assets
Ownership of Assets
Acceptable use of assets
Information classification
classification Guidelines
Information Labeling and Handling

6.1
6.1.1.
6.1.2
6.1.1.
6.1.3
6.2
6.2.1

Security in job Definition and resourcing

Including security in job responsibility
Personal screening and Policy
Confidentiality agreements
Terms and conditions of employment
User Training
Information security education and training

8.1
8.1.1
8.1.2
8.1.3
8.2
8.2.1
8.2.2

Prior to Employment
Roles and Responsibilities
Screening
Terms and conditions of employment
During Employment
Management Responsibility
Information security awareness, education and training

6.3

Responding to security Incidents and Malfunctions

8.2.3

Disciplinary process

6.3.1
6.3.2
6.3.3
6.3.4
6.3.5

Reporting security Incidents

Reporting security Weakness
Reporting Software Malfunctions
Learning from Incidents
Disciplinary Process

8.3
8.3.1
8.3.2
8.3.3

Termination or change of employment

Termination responsibility
Return of assets
Removal of access rights

7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.2
7.2.1
Physical and Environmental Security
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.3
7.3.1
7.3.2

Communications
Management

Clause

5.1
5.1.1
5.1.2

4.1.4
Organizational Security

ISO 17799:2005

Control Objective/Control

Security Areas
Physical security Perimeter
Physical entry controls
Securing offices, rooms and facilities
Working in secure areas
Isolated delivery and loading areas
Equipment security
Equipment siting and protection
Power supplies
cabling security
Equipment Maintenance
Security of equipment off-premises
Secure disposal or reuse of equipment
General controls
Clear desk and clear screen Policy
Removal of property

Security Policy

Asset Management

Human Resource Security

Physical
Security

and

9.1
9.1.1
9.1.2
9.1.3
9.1.4
9.1.5
9.1.6
Environmental 9.2
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7

Secure Areas
Physical security Perimeter
Physical entry controls
Securing offices, rooms and facilities
Protecting against external and environmental threats
Working in secure areas
Public access, delivery and loading areas
Equipment security
Equipment sitting and protection
Support utilities
Cabling security
Equipment Maintenance
Security of equipment off-premises
Secure disposal or reuse of equipment
Removal of Property

8.1
8.1.1
8.1.2
8.1.3
8.1.4

Operational Procedures and responsibilities

Documented operating Procedures
Operational change control
Incident Management procedure
Segregation of Duties

10.1
10.1.1
10.1.2
10.1.3
10.1.4

Operational Procedures and responsibilities

Documented operating Procedures
Change Management
Segregation of Duties
Separation of development and Operations facilities

8.1.5

Separation of development and Operations facilities

10.2

Third Party Service Delivery Management

8.1.6
8.2
8.2.1
8.2.2
8.3
8.3.1
8.4
8.4.1
Operations 8.4.2
8.4.3
8.5
8.5.1
8.6
8.6.1
8.6.2
8.6.3
8.6.4
8.7
8.7.1
8.7.2
8.7.3
8.7.4
8.7.5
8.7.6
8.7.7

External facilities Management

System Planning and acceptance
Capacity Planning
System acceptance
Protection against Malicious software
Control Against Malicious software
Housekeeping
Information back-up
Operator logs
Fault Logging
Network Management
Network controls
Media Handling and Security
Management of removable computer media
Disposal of Media
Information handling procedures
Security of system documentation
Exchanges of Information and Software
Information and software exchange agreements
Security of Media in transit
Electronic commerce security
Security of Electronic Mail
Security of Electronic office systems
Publicly available systems
Other forms of information exchange

Communications
Management

and

10.2.1
10.2.2
10.2.3
10.3
10.3.1
10.3.2
10.4
10.4.1
10.4.2
10.5
10.5.1
10.6
10.6.1
10.6.2
Operations
10.7
10.7.1
10.7.2
10.7.3
10.7.4
10.8
10.8.1
10.8.2
10.8.3
10.8.4
10.8.5
10.9
10.9.1
10.9.2
10.9.3
10.10
10.10.1
10.10.2
10.10.3
10.10.4
10.10.5
10.10.6

Service Delivery
Monitoring and review of third party services
Manage changes to the third party services
System Planning and Acceptance
Capacity management
System acceptance
Protection against Malicious and Mobile Code
Controls against malicious code
Controls against Mobile code
Back-Up
Information Backup
Network Security Management
Network controls
Security of Network services
Media Handling
Management of removable media
Disposal of Media
Information handling procedures
Security of system documentation
Exchange of Information
Information exchange policies and procedures
Exchange agreements
Physical media in transit
Electronic Messaging
Business Information systems
Electronic Commerce Services
Electronic Commerce
On-Line transactions
Publicly available information
Monitoring
Audit logging
Monitoring system use
Protection of log information
Administrator and operator logs
Fault logging
Clock synchronization

9.1
9.1.1
9.2
9.2.1
9.2.2
9.2.3
9.2.4
9.3
9.3.1
9.3.2
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.5
9.5.1
9.5.2
9.5.3
9.5.4
9.5.5
9.5.6
9.5.7
9.5.8
9.6
9.6.1
9.6.2
9.7
9.7.1
9.7.2
9.7.3
9.8
9.8.1
9.8.2

Access control

System
Development
Maintenance

10.1
10.1.1
10.2
10.2.1
10.2.2
10.2.3
10.2.4
10.3
10.3.1
10.3.2
10.3.3
and 10.3.4
10.3.5
10.4
10.4.1
10.4.2

Business Requirement for Access Control

Access control Policy
User Access Management
User Registration
Privilege Measurement
User password management
Review of user access rights
User Responsibilities
Password Use
Unattended user equipment
Network Access control
Policy on use of network services
Enforced path
User authentication for external connections
Node authentication
Remote diagnostic port protection
Segregation in networks
Network connection control
Network Routing control
Security of network services
Operating System Access Control
Automatic terminal identification
Terminal Log-on procedure
User identification and authentication
Password Management system
Use of system utilities
Duress alarm to safeguard users
Terminal time-out
Limitation of connection time
Application access control
Information access restriction
Sensitive system isolation
Monitoring system access and Use
Event Logging
Monitoring system use
Clock synchronization
Mobile Computing and Teleworking
Mobile computing
Teleworking
Security Requirements of Systems
Security requirement analysis and specifications
Security in Application Systems
Input data validation
Control of internal processing
Message authentication
Output data validation
Cryptographic controls
Policy on the use of cryptographic controls
Encryption
Digital Signature
Non-repudiation services
Key Management
Security of System Files
Control of Operational software
Protection of system test data

Access control

12.1
12.1.1
12.2
12.2.1
12.2.2
12.2.3
12.2.4
12.3
12.3.1
12.3.2
12.4
Information Systems Acquisition 12.4.1
Development and Maintenance
12.4.2
12.4.3
12.5
12.5.1

Security Requirements of Information Systems

Security requirement analysis and specifications
Correct Processing in Applications
Input data validation
Control of internal processing
Message integrity
Output data validation
Cryptographic controls
Policy on the use of cryptographic controls
Key Management
Security of System Files
Control of Operational software
Protection of system test data
Access control to program source library
Security in Development and Support Processes
Change Control Procedures

Access control to program source library

12.5.2

Technical review of applications after Operating system changes

10.5
10.5.1
10.5.2
10.5.3
10.5.4
10.5.5

Security in Development and Support Processes

Change Control Procedures
Technical review of Operating system changes
Restrictions on changes to software packages
Covert channels and Trojan code
Outsourced Software Development

12.5.3
12.5.4
12.5.5
12.6
12.6.1

Restrictions on changes to software packages

Information Leakage
Outsourced Software Development
Technical Vulnerability Management
Control of technical vulnerabilities

13.1
13.1.1
13.1.2

Reporting Information Security Events and Weaknesses

Reporting Information security events
Reporting security weaknesses

13.2

Management of Information Security Incidents and Improvements

13.2.1
13.2.2
13.2.3

Responsibilities and Procedures

Learning for Information security incidents
Collection of evidence
Information Security Aspects of Business Continuity Management

Security

Incident

11.1

Aspects of Business Continuity Management

14.1

11.1.1

Business continuity management process

14.1.1

11.1.2

Business continuity and impact analysis

11.1.3

Writing and implementing continuity plans

14.1.3

11.1.4

Business continuity planning framework

Testing, maintaining and re-assessing business
continuity plans

14.1.4

Including Information Security in Business continuity management

process
Business continuity and Risk Assessment
developing and implementing continuity plans including
information security
Business continuity planning framework

14.1.5

Testing, maintaining and re-assessing business continuity plans

12.1
12.1.1
12.1.2
12.1.3

Compliance with Legal Requirements

Identification of applicable legislations
Intellectual Property Rights ( IPR)
Safeguarding of organizational records

15.1
15.1.1
15.1.2
15.1.3

Compliance with Legal Requirements

Identification of applicable legislations
Intellectual Property Rights ( IPR)
Protection of organizational records

12.1.4

Data Protection and privacy of personal information

15.1.4

Data Protection and privacy of personal information

15.1.5

Prevention of misuse of information processing facilities

15.1.6

Regulation of cryptographic controls

Compliance with Security Policies and Standards and Technical
compliance

11.1.5

Business Continuity Management

14.1.2

12.1.6

Prevention of misuse of information processing

facilities
Regulation of cryptographic controls

12.1.7

Collection of evidence

12.2

Review of security policy and technical compliance

15.2.1

Compliance with security policy

12.2.1
12.2.2
12.3
12.3.1
12.3.2

Compliance with security policy

Technical compliance checking
System Audit Considerations
System Audit controls
Protection of system audit tools

15.2.2
15.3
15.3.1
15.3.2

Technical compliance checking

Information System Audit Considerations
Information System Audit controls
Protection of information system audit tools

12.1.5

Compliance

Business Requirement for Access Control

Access control Policy
User Access Management
User Registration
Privilege Measurement
User password management
Review of user access rights
User Responsibilities
Password Use
Unattended user equipment
Clear Desk and Clear Screen Policy
Network Access control
Policy on use of network services
User authentication for external connections
Equipment identification in networks
Remote diagnostic and configuration port protection
Segregation in networks
Network connection control
Network Routing control
Operating System Access Control
Secure Log-on procedures
User identification and authentication
Password Management system
Use of system utilities
Session Time-out
Limitation of connection time
Application access control
Information access restriction
Sensitive system isolation
Mobile Computing and Teleworking
Mobile computing and communication
Teleworking

10.4.3

Information
Management

Business continuity Management

11.1
11.1.1
11.2
11.2.1
11.2.2
11.2.3
11.2.4
11.3
11.3.1
11.3.2
11.3.3
11.4
11.4.1
11.4.2
11.4.3
11.4.4
11.4.5
11.4.6
11.4.7
11.5
11.5.1
11.5.2
11.5.3
11.5.4
11.5.5
11.5.6
11.6
11.6.1
11.6.2
11.7
11.7.1
11.7.2

Compliance

15.2

http://www.17799.com