Mapping 27001 - 17799

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000
Comparison of Controls in ISO/IEC 27001:2005 to ISO/IEC 17799:2000

The new ISO 27001 standard (based on BS 7799-1 and ISO17799:2000) has been released in the fourth quarter of 2005. To assist in comparing the
new version of the standard to the previous version, a list of the controls is presented below.
Title
ISO
27001:2005
Ref #
5
5.1.
Security Policy
Information security policy
5.1.1

document
5.1.2
Review of the information

security policy
Organization of information
security
Internal organization
6.1
6.1.1
Management commitment to
information security
March 1, 2006
Control
To provide management
direction and support for
information security in
accordance with business
requirements and relevant laws
and regulations..
An information security policy
document shall be approved by
management, and published and
communicated to all employees
and relevant external parties.
The information security policy
shall be reviewed at planned
intervals or if significant changes
occur to ensure its continuing
suitability, adequacy, and
effectiveness.
To manage information
security within the
organization.
Management shall actively
support security within the
organization through clear
direction, demonstrated
commitment, explicit assignment,
and acknowledgement of
ISO
17799:2000
Ref #
Title
3
3.1
Security Policy
3.1.1

document
3.1.2
Review and evaluation
Organizational Security
4.1
Information Security
Infrastructure
4.1.1
Management information
security forum
Control
To provide management
direction and support for
information security.
A policy document shall be

approved by management,
published and communicated,
as appropriate, to all
employees.
The policy shall be reviewed
regularly, and in case of
influencing changes, to ensure
it remains appropriate.
To manage information
security within the
organization.
A management forum to
ensure that there is clear
direction and visible
management support for
security initiatives will be in
place. The management forum
shall promote security through
Page 1 of 27

Title
ISO
27001:2005
Ref #
Control
ISO
17799:2000
Ref #
Title
responsibilities.
6.1.2
Information security
coordination
Information security activities

shall be co-ordinated by
representatives from different
parts of the organization with
relevant roles and job functions.
4.1.2
coordination
6.1.3
Allocation of information
security responsibilities
All information security

responsibilities shall be clearly
defined
4.1.3
Allocation of information
security responsibilities
6.1.4
Authorization process for

information processing
facilities
4.1.4
Authorization process for

facilities
6.1.5
Confidentiality agreements
6.1.3
Confidentiality agreements
6.1.6
Contact with authorities
A management authorization
process for new information
processing facilities shall be
defined and implemented.
Requirements for confidentiality
or non-disclosure agreements
reflecting the organization's
needs for the protection of
information shall be identified and
regularly reviewed.
Appropriate contacts with relevant
authorities shall be maintained.
4.1.6
Cooperation between
organizations
6.1.7
Contact with special interest

groups
Appropriate contacts with special

interest groups or other specialist
security forums and professional
associations shall be maintained.
4.1.5
Specialist information security

advice
March 1, 2006
Control
appropriate commitment and

adequate resourcing.
In large organizations, a crossfunctional forum of
management representatives
from relevant parts of the
organization shall be used to
coordinate the implementation
of information security
controls.
Responsibilities for the
protection of individual assets
and for carrying out specific
security processes shall be
clearly defined.
A management authorization
process for new information
established.
Employees shall sign a
confidentiality agreement as
part of their initial terms and
conditions of employment.
Appropriate contacts with law

enforcement authorities,
regulatory bodies, information
service providers and
telecommunications operators
shall be maintained.
Specialist advice on
information security shall be
sought from either internal or
external advisors and
coordinated throughout the
organization.
Page 2 of 27

Title
ISO
27001:2005
Ref #
6.1.8
Independent review of
6.2
External parties
6.2.1
Identification of risks related to

external parties
6.2.2
Addressing security when

dealing with customers
6.2.3
Addressing security in third

party agreements
March 1, 2006
Control
The organization's approach to

managing information security
and its implementation (i.e.
control objectives, policies,
processes, and procedures for
information security) shall be
reviewed independently at
planned intervals, or when
significant changes to the security
implementation occur.
To maintain the security of the
organization's information and
facilities that are accessed
processed, communicated to,
or managed by external parties.
The risks to the organization's
information and information
processing facilities from
business processes involving
external parties shall be identified
and appropriate controls
implemented before granting
access.
All identified security
requirements shall be addressed
before giving customers access to
the organization's information or
assets.
Agreements with third parties
involving accessing, processing,
communicating or managing the
organization's information or
information processing facilities,
or adding products or services to
information processing facilities
Title
ISO
17799:2000
Ref #
Control
4.1.7
Independent review of
The implementation of the

information security policy
shall be reviewed
independently.
4.2
Security of third-party
access
To maintain the security of

organizational information
processing facilities and
information assets accessed
by third parties.
4.2.1
Identification of risks from

third-party access
The risks associated with

access to organizational
facilities by third parties shall
be assessed and appropriate
security controls implemented.
New control
4.2.2
Security requirements in thirdparty contracts
Arrangements involving thirdparty access to organizational

facilities shall be based on a
formal contract containing all
necessary security
requirements.
Page 3 of 27

Title
ISO
27001:2005
Ref #
Control
shall cover all relevant security

requirements.
Asset management
7.1
Responsibility for assets
7.1.1
Inventory of assets
7.1.2
Ownership of assets
7.1.3
Acceptable use of assets
7.2
Information classification
7.2.1
Classification guidelines
March 1, 2006
Title
ISO
17799:2000
Ref #
4.3.1
Security requirements in
outsourcing contracts
5
To achieve and maintain
appropriate protection of
organizational assets.
All assets shall be clearly
identified and an inventory of all
important assets drawn up and
maintained.
All information and assets
associated with information
owned by a designated part of the
organization.
Rules for the acceptable use of
information and assets associated
with information processing
facilities shall be identified,
documented and implemented.
To ensure that information
receives an appropriate level of
protection.
5.1
Asset Classification and

Control
Accountability for assets
5.1.1
Inventory of assets
5.2
Information classification
Information shall be classified in

terms of its value, legal
requirements, sensitivity, and
criticality to the organization.
5.2.1
Classification guidelines
Control
The security requirements of

an organization outsourcing
the management and control
of all or some of its information
systems, networks, and/or
desktop environments shall be
addressed in a contract
agreed between the parties.
To maintain appropriate
protection of organizational
assets.
An inventory of all important
assets associated with each
information system shall be
drawn up and maintained.
New control
New Control
To ensure that information

assets receive an
appropriate level of
protection.
Classifications and associated
protective controls for
information shall take account
of business needs for sharing
or restricting information, and
the business impacts
Page 4 of 27

Title
ISO
27001:2005
Ref #
7.2.2
Information labeling and

handling
8
8.1
Human resources security

Prior to employment
8.1.1
Roles and responsibilities
8.1.2
Screening
8.1.3
Terms and conditions of

employment
March 1, 2006
Control
An appropriate set of procedures

for information labeling and
handling shall be developed and
implemented in accordance with
the classification scheme adopted
by the organization.
To ensure that employees,
contractors and third party
users understand their
responsibilities, and are
suitable for the roles they are
considered for, and to reduce
the risk of theft, fraud or
misuse of facilities.
Security roles and responsibilities
of employees, contractors and
third party users shall be defined
and documented in accordance
with the organization's information
security policy.
Background verification checks
on all candidates for employment,
contractors, and third party users
shall be carried out in accordance
with relevant laws, regulations
and ethics, and proportional to
the business requirements, the
classification of the information to
be accessed, and the perceived
risks.
As part of their contractual
obligation, employees,
contractors and third party users
shall agree and sign the terms
and conditions of their
ISO
17799:2000
Ref #
Title
5.2.2
Information labeling and

handling
6
6.1
Personnel security
Security in job definition and
resourcing
6.1.1
Including security in job

responsibilities
6.1.2
Personnel screening and

policy
6.1.4
Terms and conditions of

employment
Control
associated with such needs.

A set of procedures shall be
defined for information labeling
and handling in accordance
with the classification scheme
adopted by the organization.
To reduce the risks of

human error, theft, fraud or
misuse of facilities.
Security roles and

responsibilities, as laid down
in the organization's
information security policy
shall be documented in job
definitions.
Verification checks on
permanent staff, contractors,
and temporary staff shall be
carried out at the time of job
applications.
The terms and conditions of

employment shall state the
employee's responsibility for
Page 5 of 27

Title
ISO
27001:2005
Ref #
8.2
During employment
8.2.1
Management responsibilities
8.2.2
awareness, education, and
training
8.2.3
Disciplinary process
8.3
Termination or change of
employment
March 1, 2006
Control
employment contract, which shall

state their and the organization's
responsibilities for information
security.
users are aware of information
security threats and concerns,
their responsibilities and
liabilities, and are equipped to
support organizational security
policy in the course of their
normal work, and to reduce the
risk of human error.
Management shall require
employees, contractors and third
party users to apply security in
accordance with established
policies and procedures of the
organization.
All employees of the organization
and, where relevant, contractors
and third party users shall receive
appropriate awareness training
and regular updates in
organization policies and
procedures as relevant for their
job function.
There shall be a formal
disciplinary process for
employees who have committed a
security breach.
users exit an organization or
change employment in an
Title
ISO
17799:2000
Ref #
6.2
User training
Control
To ensure that users are

aware of information
security threats and
concerns, and are equipped
to support organizational
security policy in the course
of their normal work.
New control
6.2.1
Information security education

and training
All employees of the

organization and, where
relevant, third-party users,
shall receive appropriate
training and regular updates in
organizational policies and
procedures.
6.3.5
Disciplinary process
The violation of organizational

security policies and
procedures by employees
shall be dealt with through a
formal disciplinary process.
New objective
Page 6 of 27

Title
ISO
27001:2005
Ref #
8.3.1
Termination responsibilities
8.3.2
Return of assets
8.3.3
Removal of access rights
9
9.1
Physical and environmental

security
Secure areas
9.1.1
Physical security perimeter
9.1.2
Physical entry controls
March 1, 2006
Control
orderly manner.
Responsibilities for performing
employment termination or
change of employment shall be
clearly defined and assigned.
All employees, contractors and
third party users shall return all of
the organization's assets in their
possession upon termination of
their employment, contract or
agreement.
The access rights of all
employees, contractors and third
party users to information and
shall be removed upon
termination or their employment,
contract or agreement or adjusted
upon change.
Control
New control
New control
New control
7
To prevent unauthorized
physical access, damage and
interference to the
organization's premises and
information.
Security perimeters (barriers such
as walls, card controlled entry
gates or manned reception desks)
shall be used to protect areas that
contain information and
information processing facilities.
Secure areas shall be protected
by appropriate entry controls to
ensure that only authorized
personnel are allowed access.
Title
ISO
17799:2000
Ref #
Physical and environmental

security
Secure areas
physical access, damage
and interference to business
premises and information.
7.1.1
Physical security perimeter
Organizations shall use

security perimeters to protect
areas that contain information
processing facilities.
7.1.2
Physical entry controls
Secure areas shall be

protected by appropriate entry
controls to ensure that only
authorized personnel are
allowed access.
Page 7 of 27

Title
ISO
27001:2005
Ref #
Control
9.1.3
Securing offices, rooms and

facilities
Physical security for offices,

rooms, and facilities shall be
designed and applied.
9.1.4
Protecting against external

and environmental threats
9.1.5
Working in secure areas
Physical protection against

damage from fire, flood,
earthquake, explosion, civil
unrest, and other forms of natural
or man-made disaster shall be
designed and applied.
Physical protection and
guidelines for working in secure
areas shall be designed and
applied.
9.1.6
Public access, delivery, and

loading areas
9.2
Equipment security
9.2.1
Equipment siting and

protection
9.2.2
Supporting utilities
March 1, 2006
Title
ISO
17799:2000
Ref #
7.1.3
Securing offices, rooms and

facilities
Control
Secure areas shall be created

in order to protect offices,
rooms and facilities with
special security requirements.
New control
7.1.4
Working in secure areas
Access points such as delivery

and loading areas and other
points where unauthorized
persons may enter the premises
shall be controlled and, if
possible, isolated from
information processing facilities to
avoid unauthorized access.
To prevent loss, damage, theft
or compromise of assets and
interruption to the
organization's activities.
Equipment shall be sited or
protected to reduce the risks from
environmental threats and
hazards, and opportunities for
unauthorized access.
7.1.5
Isolated delivery and loading

areas
7.2
Equipment security
7.2.1
Equipment siting and

protection
Equipment shall be protected

from power failures and other
disruptions caused by failures in
supporting utilities.
7.2.2
Power supplies
Additional controls and

guidelines for working in
secure areas shall be used to
enhance the security of secure
areas.
Delivery and loading areas
shall be controlled, and where
possible, isolated from
facilities to avoid unauthorized
access.
To prevent loss, damage or

compromise of assets and
interruption to business
activities.
Equipment shall be sited or
protected to reduce the risks
from environmental threats
and hazards, and
opportunities for unauthorized
access.
Equipment shall be protected
from power failures and other
electrical anomalies.
Page 8 of 27

Title
ISO
27001:2005
Ref #
Control
ISO
17799:2000
Ref #
Title
9.2.3
Cabling security
Power and telecommunications

cabling carrying data or
supporting information services
shall be protected from
interception or damage.
7.2.3
Cabling security
9.2.4
Equipment maintenance
7.2.4
Equipment maintenance
9.2.5
Security of equipment offpremises
7.2.5
Security of equipment offpremises
9.2.6
Secure disposal or re-use of

equipment
7.2.6
Secure disposal or re-use of

equipment
9.2.7
Removal of property
Equipment shall be correctly

maintained to ensure its
continued availability and
integrity.
Security shall be applied to offsite equipment taking into
account the different risks of
working outside the organization's
premises.
All items of equipment containing
storage media shall be checked
to ensure that any sensitive data
and licensed software has been
removed or securely overwritten
prior to disposal.
Equipment, information or
software shall not be taken offsite without prior authorization.
7.3.2
Removal of property
10
Communications and
operations management
Operational procedures and
responsibilities
Communications and
operations management
Operational procedures and
responsibilities
10.1
10.1.1
Documented operating
procedures
10.1.2
Change management
March 1, 2006
To ensure the correct and

secure operation of information
processing facilities.
8.1
Operating procedures shall be

documented, maintained, and
made available to all users who
need them.
Changes to information
8.1.1
Documented operating
procedures
8.1.2
Operational change controls
Control
Power and
telecommunications cabling
carrying data or supporting
information services shall be
protected from interception or
damage.
Equipment shall be correctly
maintained to enable its
continued availability and
integrity.
Any use of equipment for
information processing outside
an organization's premises
shall require authorization by
management.
Information shall be erased
from equipment prior to
disposal or re-use.
Equipment, information or
software belonging to the
organization shall not be
removed without authorization
of the management.
To ensure the correct and

secure operation of
facilities.
The operating procedures
identified in the security policy
shall be documented and
maintained.
Changes to information
Page 9 of 27

Title
ISO
27001:2005
Ref #
10.1.3
Segregation of duties
10.1.4
Separation of development,
test and operational facilities
10.2
Third party service delivery

management
10.2.1
Service delivery
10.2.2
Monitoring and review of third

party services
10.2.3
Managing changes to third

party services
March 1, 2006
Control
processing facilities and systems

shall be controlled.
Duties and areas of responsibility
shall be segregated to reduce
opportunities for unauthorized or
unintentional modification or
misuse of the organization's
assets.
Development, test, and
operational facilities shall be
separated to reduce the risks of
unauthorized access or changes
to the operational system.
To implement and maintain the

appropriate level of information
security and service delivery in
line with third party service
delivery agreements.
It shall be ensured that the
security controls, service
definitions and delivery levels
included in the third party service
delivery agreement are
implemented, operated, and
maintained by the third party.
The services, reports and records
provided by the third party shall
be regularly monitored and
reviewed, and audits shall be
carried out regularly.
Changes to the provision of
services, including maintaining
and improving existing
information security policies,
procedures and controls, shall be
Title
ISO
17799:2000
Ref #
8.1.4
Segregation of duties
8.1.5
Separation of development
and operational facilities
Control

systems shall be controlled.
Duties and areas of
responsibility shall be
segregated in order to reduce
opportunities for unauthorized
modification or misuse of
information or services.
Development and testing
facilities shall be separated
from operational facilities.
Rules for the migration of
software from development to
operational status shall be
defined and documented.
New Objective
8.1.6
External facilities management
Prior to using external facilities

management services, the
risks shall be identified and
appropriate controls agreed
with the contractor, and
incorporated into the contract.
New control
New control
Page 10 of 27

Title
ISO
27001:2005
Ref #
10.3
10.3.1
System planning and

acceptance
Capacity management
10.3.2
System acceptance
10.4
Protection against malicious

software
10.4.1
10.4.2
Control
managed, taking account of the

criticality of business systems and
processes involved and
reassessment of risks.
To minimize the risk of systems
failures.
The use of resources shall be
monitored, tuned, and projections
made of future capacity
requirements to ensure the
required system performance.
Title
ISO
17799:2000
Ref #
8.2.1
System planning and

acceptance
Capacity planning
Acceptance criteria for new

information systems, upgrades,
and new versions shall be
established and suitable tests of
the system(s) carried out during
development and prior to
acceptance.
To protect the integrity of
software and information.
8.2.2
System acceptance
8.3
Protection against malicious

software
Controls against malicious

code
Detection, prevention, and

recovery controls to protect
against malicious code and
appropriate user awareness
procedures shall be implemented.
8.3.1
Controls against malicious

software
Controls against mobile code
Where the use of mobile code is

authorized, the configuration shall
ensure that the authorized mobile
code operates according to a
clearly defined security policy,
and unauthorized mobile code
shall be prevented from
executing.
March 1, 2006
8.2
Control
To minimize the risk of

systems failure.
Capacity demands shall be
monitored and projections of
future capacity requirements
made to enable adequate
processing power and storage
to be made available.
Acceptance criteria for new
information systems, upgrades
and new versions shall be
established and suitable tests
of the system carried out prior
to acceptance.
To protect the integrity of
software and information
from damage by malicious
software.
Detection and prevention
controls to protect against
malicious software and
appropriate user awareness
procedures shall be
implemented.
New control
Page 11 of 27

Title
ISO
27001:2005
Ref #
10.5
Back-up
10.5.1
Information back-up
10.6
Network Security
management
10.6.1
Network controls
10.6.2
Security of network services
10.7
Media handling
10.7.1
Management of removable
media
10.7.2
Disposal of media
March 1, 2006
Control
ISO
17799:2000
Ref #
Title
Control
To maintain the integrity and

availability of information and
facilities.
Back-up copies of information and
software shall be taken and
tested regularly in accordance
with the agreed backup policy.
To ensure the protection of
information in networks and
the protection of the
supporting infrastructure.
Networks shall be adequately
managed and controlled, in order
to be protected from threats, and
to maintain security for the
systems and applications using
the network, including information
in transit.
Security features, service levels,
and management requirements of
all network services shall be
identified and included in any
network services agreement,
whether these services are
provided in-house or outsourced.
disclosure, modification,
removal or destruction of
assets, and interruption to
business activities.
There shall be procedures in
place for the management of
removable media.
8.4
Housekeeping
To maintain the integrity and

availability of information
processing and
communication services.
Back-up copies of essential
business information and
software shall be taken and
tested regularly.
To ensure the safeguarding
of information in networks
and the protection of the
supporting infrastructure.
A range of controls shall be
implemented to achieve and
maintain security in networks.
8.4.1
Information back-up
8.5
Network management
8.5.1
Network controls
9.4.9
Security of network services
A clear description of the

security attributes of all
network services used by the
organization shall be provided.
8.6
Media handling and security
To prevent damage to
assets and interruptions to
business activities.
8.6.1
Management of removable
computer media
Media shall be disposed of
8.6.2
Disposal of media
The management of
removable computer media,
such as tapes, disks,
cassettes and printed reports
Media shall be disposed of
Page 12 of 27

Title
ISO
27001:2005
Ref #
10.7.3
Information handling
procedures
10.7.4
Security of system
documentation
10.8
Exchange of information
10.8.1
Information exchange policies

and procedures
10.8.2
Exchange agreements
10.8.3
Physical media in transit
10.8.4
Electronic messaging
March 1, 2006
Control
securely and safely when no

longer required, using formal
procedures.
Procedures for the handling and
storage of information shall be
established to protect this
information from unauthorized
disclosure or misuse.
ISO
17799:2000
Ref #
Title
Control
securely and safely when no

longer required.
8.6.3
Information handling
procedures
System documentation shall be

protected against unauthorized
access.
information and software
exchanged within an
organization and with any
external entity.
Formal exchange policies,
procedures, and controls shall be
in place to protect the exchange
of information through the use of
all types of communications
facilities.
Agreements shall be established
for the exchange of information
and software between the
organization and external parties.
8.6.4
Security of system
documentation
8.7
Exchanges of information
and software
8.7.7
Other forms of information

exchange
8.7.1
Information and software

exchange agreements
Media containing information shall

be protected against
unauthorized access, misuse or
corruption during transportation
beyond the organization's
physical boundaries.
Information involved in electronic
messaging shall be appropriately
8.7.2
Security of media in transit
8.7.4
Security of electronic mail
Procedures for the handling

and storage of information
shall be established in order to
protect such information from
unauthorized disclosure or
misuse.
System documentation shall
be protected from
To prevent loss,
information exchanged
between organizations.
Policies, procedures and
controls shall be in place to
protect the exchange of
information through the use of
voice, facsimile and video
communication facilities.
Agreements, some of which
may be formal, shall be
established for the exchange
of information and software
(whether electronic or manual)
between organizations.
Media being transported shall
be protected from
unauthorized access, misuse
or corruption.
A policy for the use of

electronic mail shall be
Page 13 of 27

Title
ISO
27001:2005
Ref #
Control
Title
ISO
17799:2000
Ref #
protected.
10.8.5
Business information systems
10.9
Electronic commerce
services
10.9.1
Electronic commerce
10.9.2
On-Line Transactions
10.9.3
Publicly available information
10.10
Monitoring
10.10.1
Audit logging
March 1, 2006
Policies and procedures shall be

developed and implemented to
protect information associated
with the interconnection of
business information systems.
To ensure the security of
electronic commerce services,
and their secure use.
Information involved in electronic
commerce passing over public
networks shall be protected from
fraudulent activity, contract
dispute, and unauthorized
disclosure or modification.
Information involved in on-line
transactions shall be protected to
prevent incomplete transmission,
mis-routing, unauthorized
message alteration, unauthorized
disclosure, unauthorized
message duplication or replay.
The integrity of information being
made available on a publicly
available system shall be
protected to prevent unauthorized
modification.
8.7.5
Security of electronic office

systems
8.7.6
Publicly available systems
To detect unauthorized
activities.
Audit logs recording user
activities, exceptions, and
information security events shall
9.7
Monitoring system access

and use
9.7.1
Event logging
Control
developed and controls put in

place to reduce security risks
created by electronic mail.
Policies and guidelines shall
be prepared and implemented
to control the business and
security risks associated with
electronic office systems.
New objective
8.7.3
Electronic commerce security
Electronic commerce shall be

protected against fraudulent
activity, contract dispute and
disclosure or modification of
information.
New control
There shall be a formal

authorization process before
information is made publicly
available and the integrity of
such information shall be
protected to prevent
unauthorized modification.
To detect unauthorized
activities.
Audit logs recording
exceptions and other securityrelevant events shall be
Page 14 of 27

Title
ISO
27001:2005
Ref #
10.10.2
Monitoring system use
10.10.3
Protection of log information
10.10.4
Administrator and operator

logs
10.10.5
Fault logging
10.10.6
Clock synchronization
11
11.1
11.1.1
Access Control
Business requirement for
access control
Access control policy
11.2
User access management
March 1, 2006
Control
be produced and kept for an

agreed period to assist in future
investigations and access control
monitoring.
Procedures for monitoring use of
shall be established and the
results of the monitoring activities
reviewed regularly.
Logging facilities and log
information shall be protected
against tampering and
System administrator and system
operator activities shall be
logged.
Faults shall be logged, analyzed,

and appropriate action taken.
The clocks of all relevant
information processing systems
within an organization or security
domain shall be synchronized
with an agreed accurate time
source.
To control access to
information.
An access control policy shall be
established, documented, and
reviewed based on business and
security requirements for access.
To ensure authorized user
Title
ISO
17799:2000
Ref #
9.7.2
Monitoring system use
Control
produced and kept for an

agreed period to assist in
future investigations and
access control monitoring
Procedures for monitoring the
use of information processing
facilities shall be established
and the result of the
monitoring activities reviewed
regularly.
New control
8.4.2
Operator logs
8.4.3
Fault logging
9.7.3
Clock synchronization
9
9.1
9.1.1
Access Control
Business requirement for
access control
Access control policy
9.2
User access management
Operational staff shall

maintain a log of their
activities. Operator logs shall
be subject to regular,
independent checks.
Faults shall be reported and
corrective action taken.
Computer clocks shall be
synchronized for accurate
recording.
To control access to
information.
Business requirements for
access control shall be defined
and documented, and access
shall be restricted to what is
defined in the access control
policy.
To ensure that access rights
Page 15 of 27

Title
ISO
27001:2005
Ref #
11.2.1
User registration
11.2.2
Privilege management
11.2.3
User password management
11.2.4
Review of user access rights
11.3
User responsibilities
11.3.1
Password use
11.3.2
11.3.3
Control
access and to prevent

unauthorized access to
information systems.
There shall be a formal user
registration and de-registration
procedure in place for granting
and revoking access to all
information systems and services.
The allocation and use of
privileges shall be restricted and
controlled.
The allocation of passwords shall
be controlled through a formal
management process.
Management shall review users'
access rights at regular intervals
using a formal process.
ISO
17799:2000
Ref #
Title
9.2.1
User registration
9.2.2
Privilege management
9.2.3
User password management
9.2.4
Review of user access rights
To prevent unauthorized user

access, and compromise or
theft of information and
facilities.
Users shall be required to follow
good security practices in the
selection and use of passwords.
9.3
User responsibilities
9.3.1
Password use
Unattended user equipment
Users shall ensure that

unattended equipment has
appropriate protection.
9.3.2
Unattended user equipment
Clear desk and clear screen

policy
A clear desk policy for papers and

removable storage media and a
clear screen policy for information
adopted.
7.3.1
Clear desk and clear screen

policy
March 1, 2006
Control
to information systems are

appropriately authorized,
allocated and maintained.
There shall be a formal user
registration and de-registration
procedure for granting access
to all multi-user information
systems and services.
The allocation and use of
privileges shall be restricted
and controlled.
The allocation of passwords
shall be controlled through a
formal management process.
Management shall conduct a
formal process at regular
intervals to review users'
access rights.
user access.
Users shall be required to

follow good security practices
in the selection and use of
passwords.
Users shall be required to
ensure that unattended
equipment is given appropriate
protection.
Organizations shall have a
clear desk and a clear screen
policy aimed at reducing the
risks of unauthorized access,
loss of, and damage to
information.
Page 16 of 27

Title
ISO
27001:2005
Ref #
11.4
Network access control
11.4.1
Policy on use of network

services
11.4.2
User authentication for

external connections
11.4.3
Equipment identification in
networks
11.4.4
Remote diagnostic and

configuration port protection
11.4.5
Segregation in networks
11.4.6
Network connection control
11.4.7
Network routing control
11.5
Operating system access
March 1, 2006
Control
ISO
17799:2000
Ref #
Title
Control
access to networked services.
Users shall only be provided with
access to the services that they
have been specifically authorized
to use.
Appropriate authentication
methods shall be used to control
access by remote users.
Automatic equipment
identification shall be considered
as a means to authenticate
connections from specific
locations and equipment.
Physical and logical access to
diagnostic and configuration ports
Groups of information services,
users, and information systems
shall be segregated on networks.
9.4
Network access control
Protection of networked
services.
Users shall only have direct
access to the services that
they have been specifically
authorized to use.
Access by remote users shall
be subject to authentication.
9.4.1
Policy on use of network

services
9.4.3
User authentication for

external connections
9.4.4
Node authentication
Connections to remote
computer systems shall be
authenticated.
9.4.5
Remote diagnostic port

protection
Access to diagnostic ports

shall be securely controlled.
9.4.6
Segregation in networks
For shared networks, especially

those extending across the
organization's boundaries, the
capability of users to connect to
the network shall be restricted, in
line with the access control policy
and requirements of the business
applications (see 11.1).
Routing controls shall be
implemented for networks to
ensure that computer connections
and information flows do not
breach the access control policy
of the business applications.
9.4.7
Network connection control
Controls shall be introduced in

networks to segregate groups
of information services, users
and information systems.
The connection capability of
users shall be restricted in
shared networks, in
accordance with the access
control policy.
9.4.8
Network routing control
9.5
Operating system access
Shared networks shall have

routing controls to ensure that
computer connections and
information flows do not
breach the access control
policy of the business
applications.
Page 17 of 27

Title
ISO
27001:2005
Ref #
11.5.1
control
Secure log-on procedures
11.5.2
User identification and

authorization
11.5.3
Password management
system
11.5.4
Use of system utilities
11.5.5
Session time-out
11.5.6
Limitation of connection time
11.6
Application and information

access control
11.6.1
Information access restriction
March 1, 2006
Control
access to operating systems.

Access to operating systems shall
be controlled by a secure log-on
procedure.
All users shall have a unique
identifier (user ID) for their
personal use only, and a suitable
authentication technique shall be
chosen to substantiate the
claimed identity of a user.
ISO
17799:2000
Ref #
9.5.2
Title
control
Terminal log-on procedures
9.5.3
User identification and

authorization
Systems for managing passwords

shall be interactive and shall
ensure quality of passwords.
9.5.4
Password management
system
The use of utility programs that

might be capable of overriding
system and application controls
shall be restricted and tightly
controlled.
Interactive sessions shall shut
down after a defined period of
inactivity.
9.5.5
Use of system utilities
9.5.7
Terminal time-out
Restrictions on connection times

shall be used to provide
additional security for high-risk
applications.
access to information held in
application systems.
Access to information and
9.5.8
Limitation of connection time
9.6
Application access control
9.6.1
Information access restriction
Control
computer access.
Access to information services
shall use a secure log-on
process.
All users shall have a unique
identifier (user ID) for their
personal and sole use so that
activities can be traced to the
responsible individual. A
suitable authentication
technique shall be chosen to
substantiate the claimed
identity of the user.
Password management
systems shall provide an
effective, interactive facility
which aims to ensure quality
passwords.
Use of system utility programs
shall be restricted and tightly
controlled.
Inactive terminals in high risk

locations or serving high risk
systems shall shut down after
a defined period of inactivity to
prevent access by
unauthorized persons.
Restrictions on connection
times shall be used to provide
additional security for high risk
applications.
access to information held
in information systems.
Access to information and
Page 18 of 27

Title
ISO
27001:2005
Ref #
11.6.2
Sensitive system isolation
11.7
Mobile computing and

teleworking
11.7.1

communications
11.7.2
Teleworking
12
Information systems
acquisition, development
and maintenance
Security requirements of
information systems
12.1
12.1.1
Security requirements analysis

and specification
12.2
Correct processing in
applications
March 1, 2006
Control
application system functions by

users and support personnel shall
be restricted in accordance with
the defined access control policy.
Sensitive systems shall have a
dedicated (isolated) computing
environment.
To ensure information security
when using mobile computing
and teleworking facilities.
Title
ISO
17799:2000
Ref #
9.6.2
Sensitive system isolation
9.8

teleworking
A formal policy shall be in place,

and appropriate security
measures shall be adopted to
protect against the risks of using
mobile computing and
communications facilities.
9.8.1
Mobile computing
A policy, operational plans and

procedures shall be developed
and implemented for teleworking
activities.
9.8.2
Teleworking
10
System development and

maintenance
10.1
Security requirements of
systems
A10.1.1
Security requirements analysis

and specification
10.2
Security in application
systems
To ensure that security is an

integral part of information
systems.
Statements of business
requirements for new information
systems, or enhancements to
existing information systems shall
specify the requirements for
security controls.
To prevent errors, loss,
unauthorized modification or
misuse of information in
Control
application system functions

shall be restricted in
accordance with the access
control policy.
Sensitive systems shall have a
dedicated (isolated) computing
environment.
To ensure information
security when using mobile
computing and teleworking
facilities.
A formal policy shall be in
place and appropriate controls
shall be adopted to protect
against the risks of working
with mobile computing
facilities, in particular in
unprotected environments.
Policies, procedures and
standards shall be developed
to authorize and control
teleworking activities.
To ensure that security is

built into information
systems.
Business requirements for
new systems or
enhancements to existing
systems shall specify the
requirements for controls.
To prevent loss,
user data in application
Page 19 of 27

Title
ISO
27001:2005
Ref #
12.2.1
Input data validation
12.2.2
Control of internal processing
12.2.3
Message integrity
12.2.4
Output data validation
12.3
Cryptographic controls
12.3.1
Policy on the use of

cryptographic controls
12.3.2
Key management
March 1, 2006
Control
applications.
Data input to applications shall be
validated to ensure that this data
is correct and appropriate.
ISO
17799:2000
Ref #
Title
Control
systems.
Data input to application
systems shall be validated to
ensure that it is correct and
appropriate.
Validation checks shall be
incorporated into systems to
detect any corruption of the
data processed.
10.2.1
Input data validation
Validation checks shall be

incorporated in applications to
detect any corruption of
information through processing
errors or deliberate acts.
Requirements for ensuring
authenticity and protecting
message integrity in applications
shall be identified, and
appropriate controls identified and
implemented.
Data output from an application
shall be validated to ensure that
the processing of stored
information is correct and
appropriate to the circumstances.
10.2.2
Control of internal processing
10.2.3
Message authentication
Message authentication shall

be used for applications where
there is a security requirement
to protect the integrity of the
message content.
10.2.4
Output data validation
To protect confidentiality,
authenticity or integrity of
information by cryptographic
means.
A policy on the use of
cryptographic controls for
protection of information shall be
developed and implemented.
Key management shall be in
place to support the
organization's use of
cryptographic techniques.
10.3
Cryptographic controls
Data output from an

application system shall be
validated to ensure that the
processing of stored
information is correct and
appropriate to the
circumstances.
To protect the
confidentiality, authenticity
or integrity of information
10.3.1
Policy on the use of

cryptographic controls
10.3.5
Key management
A policy on the use of

cryptographic controls for the
protection of information shall
be developed.
A key management system
based on an agreed set of
standards, procedures and
methods shall be used to
support the use of
cryptographic techniques.
Page 20 of 27

Title
ISO
27001:2005
Ref #
Control
ISO
17799:2000
Ref #
Title
Control
12.4
Security of system files
To ensure the security of

system files.
10.4
Security of system files
12.4.1
Control of operational software
There shall be procedures in

place to control the installation of
software on operational systems.
10.4.1
Control of operational software
12.4.2
Protection of system test data
10.4.2
Protection of system test data
12.4.3
Access control to program

source code
Test data shall be selected

carefully, and protected and
controlled.
Access to program source code
shall be restricted.
10.4.3
Access control to program

source library
12.5
Security in development and

support processes
10.5
Security in development and

support processes
12.5.1
Change control procedures
10.5.1
Change control procedures
12.5.2
Technical review of
applications after operating
system changes
10.5.2
Technical review of operating

system changes
12.5.3
Restrictions on changes to
software packages
10.5.3
Restrictions on changes to
software packages
Modifications to software
packages shall be
discouraged and essential
changes strictly controlled.
12.5.4
Information leakage

application system software
and information.
The implementation of changes
shall be controlled by the use of
formal change control
procedures.
When operating systems are
changed, business critical
applications shall be reviewed
and tested to ensure there is no
adverse impact on organizational
operations or security.
Modifications to software
packages shall be discouraged,
limited to necessary changes, and
all changes shall be strictly
controlled.
Opportunities for information
leakage shall be prevented.
10.5.4
Covert channels and Trojan

code
The purchase, use and

modification of software shall
be controlled and checked to
protect against possible covert
channels and Trojan code.
March 1, 2006
To ensure that IT projects

and support activities are
conducted in a secure
manner.
Procedures shall be in place to
control the implementation of
software on operational
systems.
Test data shall be protected
and controlled.
Strict control shall be
maintained over access to
program source libraries.
application system software
and information.
The implementation of
changes shall be strictly
controlled by the use of formal
change control procedures.
Application systems shall be
reviewed and tested when
changes occur.
Page 21 of 27

Title
ISO
27001:2005
Ref #
12.5.5
Outsourced software
development
12.6
Technical Vulnerability
Management
12.6.1
Control of technical
vulnerabilities
13
incident management
Reporting information
security events and
weaknesses
13.1
13.1.1
Reporting information security

events
13.1.2
Reporting security
weaknesses.
13.2
Management of information
security incidents and
improvements
March 1, 2006
Control
Outsourced software
development shall be supervised
and monitored by the
organization.
To reduce risks resulting from
exploitation of published
technical vulnerabilities.
Timely information about
technical vulnerabilities of
information systems being used
shall be obtained, the
organization's exposure to such
vulnerabilities evaluated, and
appropriate measures taken to
address the associated risk.
Title
ISO
17799:2000
Ref #
10.5.5
Outsourced software
development
Control
Controls shall be applied to

secure outsourced software
development.
New objective
New control
New area
To ensure information security
events and weaknesses
associated with information
systems are communicated in a
manner allowing timely
corrective action to be taken.
Information security events shall
be reported through appropriate
management channels as quickly
as possible.
All employees, contractors and
third party users of information
systems and services shall be
required to note and report any
observed or suspected security
weaknesses in systems or
services.
To ensure a consistent and
effective approach is applied to
the management of information
New objective
6.3.1
Reporting security incidents
6.3.2
Reporting security
weaknesses
Security incidents shall be

reported through appropriate
management channels as
quickly as possible.
Users of information services
shall be required to note and
report any observed or
suspected security
weaknesses in, or threats to,
systems or services.
New Objective
Page 22 of 27

Title
ISO
27001:2005
Ref #
13.2.1
Responsibilities and
procedures
13.2.2
Learning from information

security incidents
13.2.3
Collection of evidence
14
14.1
Business continuity
management
Information security aspects
of business continuity
management
14.1.1
Including information security
March 1, 2006
Control
security incidents.
Management responsibilities and
procedures shall be established
to ensure a quick, effective and
orderly response to information
security incidents.
There shall be mechanisms in

place to enable the types,
volumes, and costs of information
security incidents to be quantified
and monitored.
Where a follow-up action against
a person or organization after an
information security incident
involves legal action (either civil
or criminal), evidence shall be
collected, retained, and presented
to conform to the rules for
evidence laid down in the relevant
jurisdiction(s).
ISO
17799:2000
Ref #
Title
8.1.3
Incident management
procedures
6.3.4
Learning from incidents
12.1.7
Collection of evidence
Control
Incident management
responsibilities and
procedures shall be
established to ensure a quick,
effective and orderly response
to security incidents and to
collect incident related data
such as audit trails and logs.
Mechanisms shall be put in
place to enable the types,
volumes and costs of incidents
and malfunctions to be
quantified and monitored.
Where action against a person
or organization involves the
law, either civil or criminal, the
evidence presented shall
conform to the rules of
evidence laid down in the
relevant law or in the rules of
the specific court in which the
case will be heard. This shall
include compliance with any
published standard or code of
practice for the production of
admissible evidence.
11
To counteract interruptions to
business activities and to
protect critical business
processes from the effects of
major failures of information
systems or disasters and to
ensure their timely resumption.
A managed process shall be
11.1
Aspects of business
continuity management
To counteract interruptions
to business activities and to
protect critical business
processes from the effects
of major failures or
disasters.
11.1.1
Business continuity
There shall be a managed
Page 23 of 27

Title
ISO
27001:2005
Ref #
in the business continuity

management process
14.1.2
Business continuity and risk

assessment
14.1.3
Developing and implementing

continuity plans including
14.1.4
Business continuity planning

framework
14.1.5
Testing, maintaining and reassessing business continuity

plans
15
15.1
Compliance
Compliance with legal
March 1, 2006
Control
developed and maintained for

business continuity throughout
the organization that addresses
the information security
requirements needed for the
organizations business
continuity.
Events that can cause
interruptions to business
processes shall be identified,
along with the probability and
impact of such interruptions and
their consequences for
Plans shall be developed and
implemented to maintain or
restore operations and ensure
availability of information at the
required level and in the required
time scales following interruption
to, or failure of, critical business
processes.
A single framework of business
continuity plans shall be
maintained to ensure all plans are
consistent, to consistently
address information security
requirements, and to identify
priorities for testing and
maintenance.
Business continuity plans shall be
tested and updated regularly to
ensure that they are up to date
and effective.
To avoid breaches of any law,
ISO
17799:2000
Ref #
Title
Control
management process
process in place for

developing and maintaining
business continuity throughout
the organization.
11.1.2
Business continuity and

impact analysis
A strategy plan, based on

appropriate risk assessment,
shall be developed for the
overall approach to business
continuity.
11.1.3
Writing and implementing

continuity plans
Plans shall be developed to

maintain or restore business
operations in a timely manner
following interruption to, or
failure of, critical business
processes.
11.1.4
Business continuity planning

framework
A single framework of
business continuity plans shall
be maintained to ensure that
all plans are consistent, and to
identify priorities for testing
and maintenance.
11.1.5
Testing, maintaining and reassessing business continuity

plans
Business continuity plans shall

be tested regularly and
maintained by regular reviews
to ensure that they are up to
date and effective.
12.1
Compliance with legal
To avoid breaches of any
Page 24 of 27

Title
ISO
27001:2005
Ref #
Control
requirements
statutory, regulator or
contractual obligations and of
any security requirements.
15.1.1
Identification of applicable
legislation
15.1.2
Intellectual property rights

(IPR)
15.1.3
Protection of organizational
records
15.1.4
Data protection and privacy of

personal information
15.1.5
Prevention of misuse of
facilities
All relevant statutory, regulatory,

and contractual requirements and
the organization's approach to
meet theses requirements shall
be explicitly defined, documented,
and kept up to date for each
information system and the
organization.
Appropriate procedures shall be
implemented to ensure
compliance with legislative,
regulatory, and contractual
requirements on the use of
material in respect of which there
may be intellectual property rights
and on the use of proprietary
software products.
Important records shall be
protected from loss, destruction,
and falsification, in accordance
with statutory, regulatory,
contractual, and business
requirements.
Data protection and privacy shall
be ensured as required in
relevant legislation, regulations,
and, if applicable, contractual
clauses.
Users shall be deterred from
using information processing
facilities for unauthorized
purposes.
March 1, 2006
ISO
17799:2000
Ref #
Title
requirements
Control
criminal and civil law,

statutory, regulatory or
contractual obligations and
of any security
requirements.
All relevant statutory,
regulatory and contractual
requirements shall be defined
explicitly and documented for
each information system.
12.1.1
Identification of applicable
legislation
12.1.2
Intellectual property rights

(IPR)
Appropriate procedures shall

be implemented to ensure
compliance with legal
restrictions on the use of
material in respect of
intellectual property rights, and
on the use of proprietary
software products.
12.1.3
Safeguarding of organizational
records
Important records of an
organization shall be protected
from loss, destruction and
falsification.
12.1.4
Data protection and privacy of

personal information
Controls shall be applied to

protect personal information in
accordance with relevant
legislation.
12.1.5
Prevention of misuse of
facilities
Management shall authorize

the use of information
controls shall be applied to
Page 25 of 27

Title
ISO
27001:2005
Ref #
Control
ISO
17799:2000
Ref #
Title
15.1.6
Regulation of cryptographic
controls
Cryptographic controls shall be

used in compliance with all
relevant agreements, laws, and
regulations.
12.1.6
Regulation of cryptographic
controls
15.2
Compliance with security

policies and standards, and
technical compliance
12.2
Reviews of security policy

and technical compliance
15.2.1

policies and standards
To ensure compliance of
systems with organizational
standards.
Managers shall ensure that all
security procedures within their
area of responsibility are carried
out correctly to achieve
compliance with security policies
and standards.
12.2.1

policy
15.2.2
Technical compliance
checking
12.2.2
Technical compliance
checking
15.3
Information systems audit

considerations
Information systems shall be

regularly checked for compliance
with security implementation
standards.
To maximize the effectiveness
and to minimize interference
to/from the information
systems audit process.
12.3
System audit considerations
15.3.1
Information systems audit

controls
Audit requirements and activities

involving checks to operational
systems shall be carefully
planned and agreed to minimize
the risk of disruptions to business
12.3.1
System audit controls
March 1, 2006
Control
prevent the misuse of such

facilities.
Controls shall be in place to
enable compliance with
national agreements, laws,
regulations or other
instruments to control the
access to or use of
cryptographic controls.
To ensure compliance of
systems with organizational
standards
Managers shall take action to
ensure that all security
procedures within their area of
responsibility are carried out
correctly and all areas within
the organization shall be
subject to regular review to
ensure compliance with
standards.
Information systems shall be
regularly checked for
compliance with security
implementation standards.
To maximize the
effectiveness of and to
minimize interference
to/from the system audit
process.
Audits of operational systems
shall be planned carefully and
agreed to minimize the risk of
disruptions to business
processes.
Page 26 of 27

Title
ISO
27001:2005
Ref #
15.3.2
Protection of information
systems audit tools
Control
processes.
Access to information systems
audit tools shall be protected to
prevent any possible misuse or
compromise.
Title
ISO
17799:2000
Ref #
12.3.2
Protection of system audit

tools
Control
Access to system audit tools

shall be protected to prevent
any possible misuse or
compromise.
Dropped controls
6.3.3
Reporting software
malfunctions
Procedures shall be established for reporting software

malfunctions.
9.4.2
Enforced path
The path from the user terminal to the computer service

9.5.1
Automatic terminal
identification
9.5.6
Duress alarm to safeguard

users
Automatic terminal identification shall be considered to

authenticate connections to specific locations and to
portable equipment.
Duress alarms shall be provided for users who might be
the target of coercion.
10.3.2
Encryption
Encryption shall be applied to protect the confidentiality

of sensitive or critical information.
10.3.3
Digital signatures
Digital signatures shall be applied to protect the

authenticity and integrity of electronic information.
10.3.4
Non-repudiation services
Non-repudiation services shall be used to resolve

disputes about occurrence or non-occurrence of an event
or action.
March 1, 2006
Page 27 of 27

Mapping 27001 - 17799

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Mapping 27001 - 17799

Încărcat de

Drepturi de autor:

Formate disponibile

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

Comparison of Controls in ISO/IEC 27001:2005 to ISO/IEC 17799:2000

Information security policy

Review of the information

Information security policy

Review and evaluation

A policy document shall be

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

Information security activities

All information security

Authorization process for

Authorization process for

Contact with authorities

Contact with special interest

Appropriate contacts with special

Specialist information security

appropriate commitment and

Appropriate contacts with law

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

Identification of risks related to

Addressing security when

Addressing security in third

The organization's approach to

The implementation of the

To maintain the security of

Identification of risks from

The risks associated with

Security requirements in thirdparty contracts

Arrangements involving thirdparty access to organizational

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

shall cover all relevant security

Responsibility for assets

Acceptable use of assets

Asset Classification and

Information shall be classified in

The security requirements of

To ensure that information

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

Information labeling and

Human resources security

Roles and responsibilities

Terms and conditions of

An appropriate set of procedures

Information labeling and

Including security in job

Personnel screening and

Terms and conditions of

associated with such needs.

To reduce the risks of

Security roles and

The terms and conditions of

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

employment contract, which shall

To ensure that users are

Information security education

All employees of the

The violation of organizational

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

Removal of access rights

Physical and environmental

Physical security perimeter

Physical entry controls

Physical and environmental