ISO IEC 17799 2000
 TRANSLATED INTO PLAIN ENGLISH
PART 8. COMMUNICATIONS AND OPERATIONS

ISO/IEC 17799 2000 is OBSOLETE.
Please see ISO/IEC 27002 2005.

We've used a task oriented approach to translate the ISO 17799 2000
information security practices into plain English. This means that our
plain English standard consists entirely of tasks or actions. So if you
want to implement the ISO 17799 standard, all you have to do is carry
out the tasks that we have listed. However, you don't have to perform
every task. These are recommended tasks, not compulsory tasks.

In order to give you the freedom to choose whether or not you
wish to carry out a recommended task, we offer three response
options for each task: DO, DONE, or N/A. If you haven't done the
task and you feel it needs to be done, select DO. Select DO if the
task addresses one of your information security risks or needs.
If you've already done the task, select DONE. If the task is not
applicable in your situation or does not address your information
security risks and needs, then answer N/A (not applicable).

ISO IEC 17799 2000
INFORMATION SECURITY STANDARD
 PLAIN ENGLISH SAMPLE

8. COMMUNICATIONS AND OPERATIONS MANAGEMENT

8.1 ESTABLISH OPERATIONAL PROCEDURES

 

 

 

COMMENTS

 

1

Establish procedures to manage your
information processing facilities.

DO

DONE

N/A

 

 

2

Assign responsibilities that govern the
management of your organization's
information processing facilities.

DO

DONE

N/A

 

 

3

Establish procedures to operate your
information processing facilities.

DO

DONE

N/A

 

 

4

Assign responsibilities that govern
the operation of your organization's
information processing facilities.

DO

DONE

N/A

 

 

8.1.1 DOCUMENT YOUR OPERATING PROCEDURES

COMMENTS

 

5

Develop operating procedures that
comply with your security policy.

DO

DONE

N/A

 

 

6

Document your operating procedures.

DO

DONE

N/A

 

 

7

Control your operating procedure documents.

DO

DONE

N/A

 

 

8

Make sure that all changes to your operating
procedure documents are authorized and
controlled by management.

DO

DONE

N/A

 

 

9

Make sure that operating procedures explain
how each job or task should be performed.

DO

DONE

N/A

 

 

10

Make sure that your operating procedures
explain how information should be processed.

DO

DONE

N/A

 

 

11

Make sure that your operating procedures
explain how information should be handled.

DO

DONE

N/A

 

 

12

Make sure that operating procedures explain
how job scheduling should be performed.

DO

DONE

N/A

 

 

13

Make sure that your operating procedures expect
your schedules to specify start and finish dates.

DO

DONE

N/A

 

 

14

Make sure that operating procedures describe
the systemic interdependencies that influence
how jobs are done.

DO

DONE

N/A

 

 

15

Make sure that your operating procedures explain
how job performance errors should be handled.

DO

DONE

N/A

 

 

16

Make sure that your operating procedures
explain how restrictions on the use of system
utilities should be handled.

DO

DONE

N/A

 

 

17

Make sure that your operating procedures identify
people who can be contacted when operational
or technical problems occur.

DO

DONE

N/A

 

 

18

Make sure that your operating procedures
explain how output should be handled.

DO

DONE

N/A

 

 

19

Make sure that your operating procedures explain
how confidential output should be handled.

DO

DONE

N/A

 

 

20

Make sure that your operating procedures explain
how output from failed jobs should be disposed of.

DO

DONE

N/A

 

 

21

Make sure that operating procedures explain
how system failures should be handled.

DO

DONE

N/A

 

 

22

Make sure that operating procedures
explain how to restart your systems.

DO

DONE

N/A

 

 

23

Make sure that operating procedures
describe system recovery procedures.

DO

DONE

N/A

 

 

24

Develop operational housekeeping procedures
for your information processing facilities.

DO

DONE

N/A

 

 

25

Develop operational housekeeping
procedures for communication facilities.

DO

DONE

N/A

 

 

26

Develop computer startup and shutdown procedures.

DO

DONE

N/A

 

 

27

Develop computer backup procedures.

DO

DONE

N/A

 

 

28

Develop equipment maintenance procedures.

DO

DONE

N/A

 

 

29

Develop computer room procedures.

DO

DONE

N/A

 

 

30

Develop mail handling management procedures.

DO

DONE

N/A

 

 

31

Develop mail handling safety procedures.

DO

DONE

N/A

 

 

8.1.2 CONTROL CHANGES TO FACILITIES AND SYSTEMS

COMMENTS

 

32

Control changes to information processing facilities.

DO

DONE

N/A

 

 

33

Control changes to your information systems.

DO

DONE

N/A

 

 

34

Assign management responsibility for
the control of changes to equipment.

DO

DONE

N/A

 

 

35

Assign management responsibility for
the control of changes to software.

DO

DONE

N/A

 

 

36

Assign management responsibility for
the control of changes to procedures.

DO

DONE

N/A

 

 

37

Develop procedures to control changes to equipment.

DO

DONE

N/A

 

 

38

Develop procedures to control changes to software.

DO

DONE

N/A

 

 

39

Develop procedures to control changes to procedures.

DO

DONE

N/A

 

 

40

Control all changes to operational programs.

DO

DONE

N/A

 

 

41

Use audit logs to track changes to programs.

DO

DONE

N/A

 

 

42

Identify all significant changes to your
organization's information processing
facilities and systems.

DO

DONE

N/A

 

 

43

Record all significant changes to your
organization's information processing
facilities and systems.

DO

DONE

N/A

 

 

44

Assess the potential impact before you
make changes to your information
processing facilities and systems.

DO

DONE

N/A

 

 

45

Use a formal procedure to authorize proposed
changes to your facilities and systems.

DO

DONE

N/A

 

 

46

Ensure that the details of changes to facilities and
systems are communicated to all relevant persons.

DO

DONE

N/A

 

 

47

Use a procedure to control how unsuccessful
changes should be aborted and resolved.

DO

DONE

N/A

 

 

8.1.3 ESTABLISH INCIDENT MANAGEMENT PROCEDURES

COMMENTS

 

48

Establish procedures that must be used to
manage and respond to all security incidents.

DO

DONE

N/A

 

 

49

Assign incident management responsibilities.

DO

DONE

N/A

 

 

50

Develop procedures to handle
all types of security incidents.

DO

DONE

N/A

 

 

51

Develop procedures to handle
information system failures.

DO

DONE

N/A

 

 

52

Develop procedures to handle the loss of service.

DO

DONE

N/A

 

 

53

Develop procedures to handle the denial of service.

DO

DONE

N/A

 

 

54

Develop procedures to handle incomplete data.

DO

DONE

N/A

 

 

55

Develop procedures to handle inaccurate data.

DO

DONE

N/A

 

 

56

Develop procedures to handle
confidentiality breakdowns.

DO

DONE

N/A

 

 

57

Make sure that your procedures expect
people to identify and analyze the causes
of your security incidents.

DO

DONE

N/A

 

 

58

Make sure that your procedures expect
people to figure out how to prevent a
recurrence of your security incidents.

DO

DONE

N/A

 

 

59

Make sure that procedures expect people
to communicate with those who are
affected by security incidents.

DO

DONE

N/A

 

 

60

Make sure that your procedures expect
people to report the security incident and
response to the appropriate authority.

DO

DONE

N/A

 

 

61

Make sure that your procedures expect
people to study trails and collect evidence
about your security incidents.

DO

DONE

N/A

 

 

62

Use evidence to analyze your security incidents.

DO

DONE

N/A

 

 

63

Collect evidence for breach of contract purposes.

DO

DONE

N/A

 

 

64

Collect evidence to address regulatory violations.

DO

DONE

N/A

 

 

65

Collect evidence to support legal proceedings.

DO

DONE

N/A

 

 

66

Collect evidence to support your requests for
compensation from software and service suppliers.

DO

DONE

N/A

 

 

67

Develop procedures to control how you
correct and recover from security failures.

DO

DONE

N/A

 

 

68

Make sure that your recovery procedures
ensure that only authorized persons are
allowed access to live systems and data.

DO

DONE

N/A

 

 

69

Make sure that your recovery procedures
expect people to document all the actions
that were taken during the emergency.

DO

DONE

N/A

 

 

70

Make sure that your recovery procedures expect
people to report emergency actions to management.

DO

DONE

N/A

 

 

71

Make sure that your recovery procedures expect
management to carry out an orderly review of
emergency actions taken.

DO

DONE

N/A

 

 

72

Make sure that your recovery procedures
ensure that the integrity of all vulnerable
business systems is verified.

DO

DONE

N/A

 

 

73

Make sure that your recovery procedures
ensure that all relevant business controls
are still effective.

DO

DONE

N/A

 

 

 

Etcetera ...

DO

DONE

N/A

 

 
   

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

 

 

OCT 2004

COPYRIGHT © PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

VER 1.0

PART 8

COMMUNICATIONS AND OPERATIONS MANAGEMENT

PAGE 48

Praxiom

ISO IEC 27001 2005 Library

Introduction to ISO 27001 Standard

Information Security System Development Plan

Plain English Information Security Management Definitions

Comparison of ISO 27001 2005 and ISO 27002 2005 Standards

ISO IEC 27001 2005 Standard Translated into Plain English

Information Security Management Gap Analysis Tool

ISO IEC 27002 2005 Library

Introduction to ISO 27002 2005 Standard

Overview of ISO 27002 2005 Information Security

ISO 27002 2005 Standard Translated into Plain English

Information Security Management Control Objectives

Information Security Management Audit Tool

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

PRAXIOM RESEARCH GROUP LIMITED
9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada
Telephone: 780-461-4514 info@praxiom.com

Updated on December 26, 2011. First published on November 4, 2004.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
  developing this electronic publication. We make no representation or warranties
  with respect to accuracy or completeness of the contents of this publication and
  specifically disclaim any implied warranties or merchantability or fitness for any
  particular purpose and shall in no event be liable for any loss of profit or any
  other commercial damage, including but not limited to special, incidental,
  consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2004 - 2011 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research