| ESTABLISH POLICIES | SCOPE DEFINITION | CONDUCT RISK ASSESSMENT |
| Based on security best practices, ISO17799 standard, and ISO17799 compliant policy statements, policies must be selected, developed, and/or tailored for the protection of assets within the organization.. | The BS7799/ISO17799 Information System Security Management (ISSM) process requires Scope Determination - deciding what (e.g., products, services, environment, etc.) will require security policies and standards. | The Business Impact Analysis (BIA) and Fact Finding Analysis tools aid in determining the level of risk and impact. Additionally, these tools help decide what actions - if any - should be taken. |
| RISK MANAGEMENT | TAILOR
POLICIES & CONTROL OBJECTIVES |
DOCUMENT
& JUSTIFY SECURITY CONTROLS |
| The Contingency Management and Asset Valuation tools help manage the risk by transfer, avoidance, and/or establishing controls. | ISO17799, BS7799 Appendix A, and the Security Assessment Questionnaires included in the product provide control objectives and solutions to address the risks and vulnerabilities. | When policies, control objectives, and solutions are selected and/or established, statements of applicability (SOA) must be developed to document and justify the approach or methodology. |
| BS ISO/IEC 17799 gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization. |
ISO17799 / BS7799
Relationship
|
BS 7799-2 specifies the requirements for establishing, implementing and documenting information security management systems (ISMSs). Part 2 of the standard is the specification that companies can be assessed and registered against. |