IsoOrganization has involvements in SecurityManagement.
Relevant specifications include ISO17799 [and Part 2: auditing guidelines in BS7799-2 (2002 revision) - not yet adopted?].
- According to LucentTechnologies, ISO 17799 is a direct descendant of the British Standard Institute (BSI) Information Security Management standard BS7799. ref
- FAQ from NIST
- See more information
There's an ISO 17799 specific wiki site
ISO17799 is essentially identical to BS7799 part 1. It's mostly a collection of good advice. BS7799 Part 2 is a mandated approach to information security management. While it is a reasonable approach (in my opinion) it's not the only approach, and this restriction to a single approach was one of the reasons that the US (and possibly others) objected to its adoption as a ISO standard
Only Part 2 can be audited against, so if you see someone claiming compliance to ISO17799, make sure you understand exactly what they mean by that...
Another ISO security standard is ISO 13335 (GMITS or "Guidelines for the Management of IT security")
- A 5 part document. Part 1 concepts and model, part 2 on management and planning, part 3 on techniques related to policy/controls/safeguards, part 4 on list of safeguards, part 5 on network security aspects.
- From 13335, the new standard for IT security Jodie Siganto
''ANSI has also being doing security analysis together with ISO. See a 2004 example