ISO/IEC 17799
Generated by GPT-5-miniExpansion Funnel Raw 156 → Dedup 0 → NER 0 → Enqueued 0
| ISO/IEC 17799 | |
|---|---|
| Title | ISO/IEC 17799 |
| Status | Withdrawn; superseded |
| First published | 2000 |
| Withdrawn | 2005 |
| Replaced by | ISO/IEC 27002 |
| Subject | Information security management |
ISO/IEC 17799 was an international standard for information security management controls developed to guide organizations in safeguarding assets, influencing practitioners, auditors, and policymakers across industries. It informed corporate strategies for risk treatment among entities such as IBM, Microsoft, Siemens, Shell plc, and Bank of America while interacting with regulators like European Commission, United States Department of Defense, Financial Services Authority (UK), Australian Signals Directorate, and International Telecommunication Union. The document shaped guidance used by consultants from firms like Deloitte, PricewaterhouseCoopers, Ernst & Young, KPMG, and by academic groups at Massachusetts Institute of Technology, Stanford University, University of Oxford, ETH Zurich, and National University of Singapore.
Overview
ISO/IEC 17799 presented a catalogue of best-practice security controls designed for use by organizations ranging from United Nations agencies and World Health Organization programmes to corporations such as Sony, Apple Inc., General Electric, Toyota Motor Corporation, and Amazon (company). It operated as a code of practice influencing compliance regimes overseen by Securities and Exchange Commission, Basel Committee on Banking Supervision, Office of the Privacy Commissioner of Canada, Japan Ministry of Economy, Trade and Industry, and Hong Kong Monetary Authority. The standard was widely cited in management systems alongside ISO 9001, ISO 14001, ISO/IEC 27001, COBIT, and ITIL frameworks used by enterprises including Vodafone, Verizon Communications, AT&T, T-Mobile, and Deutsche Telekom.
History and Development
The standard originated from a UK-origin code produced by British Standards Institution contributors and committees including practitioners affiliated with Royal Mail, British Airways, Barclays, GlaxoSmithKline, and Rolls-Royce Holdings. Work led to internationalization under International Organization for Standardization and International Electrotechnical Commission technical committees with participation from national bodies such as American National Standards Institute, Standards Australia, DIN (German Institute for Standardization), Bureau de Normalisation du Québec, and Association Française de Normalisation. Revisions involved experts from NIST, ENISA, CERT Coordination Center, SANS Institute, and academic researchers from Carnegie Mellon University and University of Cambridge, culminating in replacement by a newer code influencing later editions like ISO/IEC 27002.
Structure and Content
ISO/IEC 17799 organised controls into thematic domains covering areas relevant to organisations such as Royal Dutch Shell, BP, ExxonMobil, Siemens AG, and Airbus. Sections described policy formulation, asset management, human resources security, physical and environmental security, communications and operations management, access control, systems development, business continuity, and compliance — concepts applied in environments managed by McDonald's Corporation, Walmart, IKEA, Procter & Gamble, and Unilever. The standard provided examples applicable to information systems produced by vendors including Oracle Corporation, SAP SE, Cisco Systems, Hewlett-Packard, and Intel Corporation and drew on incident experiences studied by Interpol, FBI, MI5, MI6, and Europol.
Implementation and Adoption
Organizations adopted ISO/IEC 17799 via consultants from Accenture, Capgemini, Booz Allen Hamilton, McKinsey & Company, and Boston Consulting Group, and via auditors from BSI Group, SGS, TÜV SÜD, Lloyd's Register, and DNV GL. Implementation intersected with procurement and contractual practices of Walmart Stores, Inc., Target Corporation, IKEA Group, FedEx, and UPS and informed vendor risk programs at Google, Facebook, Twitter, Alibaba Group, and Tencent. Public sector adopters included departments in United Kingdom, Canada, Singapore, New Zealand, and Germany while financial institutions such as JPMorgan Chase, Goldman Sachs, HSBC, Citigroup, and Deutsche Bank used it for control baselines.
Relationship to Other Standards
ISO/IEC 17799 related to management standards like ISO/IEC 27001, ISO 9001, ISO 22301, ISO/IEC 20000, and compliance schemes such as PCI DSS, Sarbanes–Oxley Act, GDPR, HIPAA, and Basel II. It complemented control frameworks including NIST Cybersecurity Framework, COBIT 5, ITIL V3, SANS Critical Security Controls, and OASIS specifications used by institutions like World Bank, International Monetary Fund, European Central Bank, Bank for International Settlements, and Organisation for Economic Co-operation and Development.
Criticism and Limitations
Critics from industry analysts at Gartner, Forrester Research, IDC, KuppingerCole, and 451 Research argued the standard was high-level and required significant interpretation by practitioners at firms like Siemens, Philips, Hitachi, NEC Corporation, and Samsung Electronics. Legal commentators referencing rulings by European Court of Justice, US Supreme Court, Court of Appeal (England and Wales), Federal Court of Australia, and Supreme Court of Canada noted challenges aligning the code with statutory obligations under Data Protection Act 1998, Privacy Act 1988 (Australia), Health Insurance Portability and Accountability Act, Telecommunications Act (US), and Computer Misuse Act 1990. Security researchers associated with MITRE Corporation, CERT/CC, Open Web Application Security Project, European Network and Information Security Agency, and Virus Bulletin highlighted limitations in technical specificity compared with controls in modern guidance from Cloud Security Alliance, Center for Internet Security, NIST SP 800-53, and ENISA.
Category:Information security standards