ISO IEC 17799 2000

TRANSLATED INTO PLAIN ENGLISH

Section 3: Security Policy

DETAILED STANDARD

TO MAIN MENU

TO SECTION 4

ISO IEC 17799 2000 is now OBSOLETE.

Please see the NEW ISO IEC 27002 2013 Standard.

Praxiom

3.1 ESTABLISH AN INFORMATION SECURITY POLICY

 

Establish an information security policy.

 

Make sure that your security policy provides clear direction.

 

Make sure that your information security policy shows that
your organization is committed to information security.

 

Make sure that your security policy shows that your organization is
prepared to support an ongoing commitment to information security.

3.1.1 DEVELOP AN INFORMATION SECURITY POLICY DOCUMENT

 

Document your information security policy.

 

Make sure that your information security policy document
has been formally approved by your senior management.

 

Publish your information security policy document.

 

Communicate your security policy to all employees.

 

Make sure that your information security policy
communications are easy for users to understand.

 

Make sure that your security policy communications
are relevant to your users’ needs and expectations.

 

Make sure that your security policy document makes it clear that
your senior management is firmly committed to information security.

 

Make sure that your policy document indicates that your management
supports your organization’s information security goals and principles.

 

Make sure that your information security policy document describes your
organization’s approach to the management of information security.

 

Make sure that your security policy document
provides a definition of information security.

 

Make sure that your policy document clarifies the scope
of your organization’s commitment to information security.

 

Make sure that your information policy document defines
your organization’s information security objectives.

 

Make sure that your security policy document highlights the information
security considerations that are especially important to your organization.

 

Make sure that your information security policy document
defines information security management responsibilities.

 

Make sure that your information security policy document
defines security incident reporting responsibilities.

 

Make sure that your security policy refers to other
documents that support your information security policy.

3.1.2 REVIEW AND EVALUATE INFORMATION SECURITY POLICY

 

Clarify who owns your information security policy.

 

Make sure that your security policy owner is responsible
for the review and evaluation of your security policy.

 

Define a security policy review and evaluation process.

 

Carry out periodic information security policy reviews.

 

Make sure that your periodic policy reviews evaluate
the effectiveness of your information security policy.

 

Make sure that your periodic policy reviews evaluate the
impact security controls are having on business efficiency.

 

Make sure that your periodic policy reviews evaluate
the effects that changes in technology are having.

 

Carry out a policy review whenever your security risks change.

TO MAIN MENU

TO SECTION 4

Praxiom

Home Page

Our Libraries

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited       help@praxiom.com      780-461-4514

Updated on March 27, 2014. First published on October 28, 2004.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2004 - 2014 by Praxiom Research Group Limited. All Rights Reserved.