How can an organization conduct an IT security audit to support the implementation of ISO 17799?
Although called an international standard, ISO / IEC 17799 is actually classified as a “Code of practice for information security management.” Much of the material is high-level and open to broad interpretation. It is adopted by ISO / IEC from the British Standards Institute where it is Part 1 of the two-part BS 7799. ISO/IEC 17799 consists of 12 sections. Pertinent “Standards” start at section 3. The standards within ISO / IEC 17799 most relevant to software security assurance include: Section 8. Communications and Operations • 8.1 Establish operational procedures • 8.1.2 Control changes to facilities and systems • 8.3 Protect against malicious software • 8.3.1 Detect and prevent malicious software Section 10. Systems Development and Maintenance • 10.1 Identify system security requirements • 10.1.1 Specify security controls and requirements that new information systems must meet • 10.2 Build security into your application systems • 10.2.1 Build input data validation controls into your
