BS 7799/ISO 17799
Release authority May 25 2007 09:19AM
kartik kashyap gmail com (2 replies)
Re: Release authority May 25 2007 09:54AM
Ismael Valenzuela (ismael valenzuela gmail com) (1 replies)
RE: Release authority May 25 2007 10:31AM
Mark Curphey (mark curphey com)
RE: Release authority May 25 2007 09:41AM
Jose Varghese (jose varghese paladion net) (2 replies)
Re: Release authority May 25 2007 10:31AM
Vivek P (iamherevivek gmail com)
Certifications a magic bullet for e-security! May 25 2007 10:05AM
Vijay Mukhi (vmukhi vsnl com) (3 replies)
Re: Certifications a magic bullet for e-security! May 25 2007 01:29PM
ashish shah (ashishs_71 yahoo com)
Re: Certifications a magic bullet for e-security! May 25 2007 12:18PM
Ryan Chow (rynchow gmail com)
Re: Certifications a magic bullet for e-security! May 25 2007 10:56AM
Vivek P (iamherevivek gmail com) (1 replies)
Some more questions May 26 2007 05:10AM
Vijay Mukhi (vmukhi vsnl com) (1 replies)
Re: Some more questions May 26 2007 12:41PM
Andreas Rauer (andreas andreas-rauer de)
Vijay Mukhi wrote:

> Most places on the web would sell me the ISO 27001 official standard
> for about 200$. The ANSI site sells the same standard at 30$. Why do
> we have such a wide fluctuations in prices. At the end of the day I
> get the same PDF file or is there any difference.

Hu?

Hm, i would head directly to ISO.org and get it from there.
126 CHF should be around 105 USD.

http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=4
2103&ICS1=35&ICS2=40&ICS3

> Is the following equation correct
> ISO27001 = ISO 17799 + 12 pages of ISO 270001
> Pages 13 onwards of the ISO 27001 standard are a summary of controls from
> ISO/IEC 17799

No.

ISO 27001s "core clauses" are written on pages 3 to 12 (the hard
requirements for an ISMS).

Following pages is Annex A with the ("optional") 133 controls, which can
be selected during creation of your Statement of Applicability and
therefore become mandatory requirements for passing an audit.

(The controls in Annex A are very "short" in text, and therefore a bit
too flexible for some - they are no summary of ISO 17799)

ISO 17799 correlates 1:1 in chapter numeration with the controls from
Annex A and give more details and "best practices" for implementation of
the chosen controls.

> Am I right in assuming that the controls specified in ISO 17799 are
> more managerial than technology.

Yes.
Because ISO 27001 and ISO 17799 are management standards, no
implementation standards (like, say, the German IT baseline protection
manual).
And it's totally fine that way.

> Suggestion: Is it a good idea to take every control and specify actual
> practical technology ways of enforcing the ISO 17799 controls and thus
> the ISO 27001.

I don't think it's a good idea "to choose every control from ISO 27001,
regardless we need them or not, we will make everything and therefore be
safe."

! Chose the controls you need. Base this decision on your risk assessment. !

And after you defined your individual needs, take those chosen controls
and further "specify/fill" them with a for your company situation
suitable technical implementation.

HTH,
Andreas

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus