Information Security Management establishes guidelines and general principles for organizations to initiate, implement, maintain, and improve information security management.
ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management.
- Security policy.
- Organization of information security.
- Asset management.
- Human resources security.
- Physical and environmental security.
- Communications and operations management.
- Access control.
- Information systems acquisition, development
- Information security incident management.
- Business continuity management.
It is suitable for several different types of organizational use, including the following :
- Formulation of security requirements and objectives.
- To ensure that security risks are cost effectively managed.
- To ensure compliance with laws and regulations.
- As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met.
- Identification and clarification of existing information security management processes.
- To be used by management to determine the status of information security management activities.
- To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization.
- To provide relevant information about information security policies,directives, standards and procedures to trading partners.
- To provide relevant information about information security to customers.