ISO17799 Information Security Standard in Plain English

The ISO 17799 2000 standard is all-encompassing. It takes a very broad
approach to information security. In the context of this standard, the term
information includes all forms of data, documents, communications,
conversations, messages, recordings, and photographs. It includes
everything from digital data and email to faxes and telephone
conversations. It includes all forms of information.

The ISO/IEC 17799 2000 standard, and our interpretation of it, consists of
recommended information security practices. These recommended practices
are found in sections 3 to 12. Since these recommendations start in section 3,
the following material also starts in section 3.

ISO 17799 2000 INFORMATION SECURITY STANDARD

3. Security Policy

3.1 Establish an information security policy.

3.1.1 Develop an information security policy document.

Document your organization's information security policy.
Publish your organization's information security policy.

3.1.2 Review and evaluate your information security policy.

Clarify who owns your information security policy.
Define a security policy review and evaluation process.
Carry out periodic information security policy reviews.

ISO 17799 2000 INFORMATION SECURITY STANDARD

4. Organizational Security <<< SEE MORE DETAIL

4.1 Establish a security infrastructure.

4.1.1 Set up a management information security forum.

Assign the responsibility for information security to one manager.
Establish a management forum to support information security.

4.1.2 Co-ordinate information security implementation.

Establish a management forum to implement security controls.

4.1.3 Allocate information security responsibilities.

Allocate responsibility for the protection of information assets.
Appoint a manager to protect your information assets.
Appoint an owner for each information asset.

4.1.4 Establish an authorization process for new facilities.

Set up authorization process to control new information facilities.
Control business use of personal information processing facilities.

4.1.5 Identify specialized information security advisors.

Identify in-house information security advisors.
Consult security advisors when security incidents occur.

4.1.6 Maintain relationships with other organizations.

Maintain relationships with security agencies and groups.

4.1.7 Perform independent security policy reviews.

Perform independent reviews of your information security policy.

4.2 Control third party access to facilities.

4.2.1 Identify third party access risks.

4.2.1.1 Consider types of third party access.

Examine the risks associated with allowing third party access.

4.2.1.2 Establish special information access controls.

Carry out risk assessments to evaluate third party access.
Set up special access controls to regulate third party access.

4.2.1.3 Control on-site contractor information access.

Use contracts to define contractor access to information.

4.2.2 Use contracts to control third party access.

Use contracts to control access to your information processing facilities.

4.3 Control outsourced information processing.

4.3.1 Use contracts to control outsourced services.

Use contracts to specify how legal requirements should be met.
Use contracts to specify the security requirements that must be met.

ISO IEC 17799 2000 INFORMATION SECURITY STANDARD

5. Asset Classification and Control

5.1 Make information asset owners accountable.

5.1.1 Compile an inventory of all information assets.

Identify all of your organization's information assets.
Define levels of protection for your information assets.
Assign a security classification to all information assets.

5.2 Use an information classification system.

5.2.1 Develop information classification guidelines.

Give responsibility for classification to the originator or owner of information.
Classify information according to sensitivity and how much protection is required.
Apply your classification system to documents, records, data files, and disks.

5.2.2 Use information handling and labeling procedures.

Develop information handling procedures for each class of information.
Develop information labeling procedures for each class of information.

ISO17799 (BS 7799) INFORMATION SECURITY STANDARD

6. Personnel Security Management

6.1 Control your personnel recruitment process.

6.1.1 Include security in your job descriptions.

Prevent personnel from misusing your information processing facilities.
Monitor how well personnel comply with contractual security provisions.

6.1.2 Check the backgrounds of your job applicants.

Check the character references provided by job applicants.
Confirm the personal identity of people who apply for employment.
Verify the professional and academic qualifications of job applicants.
Perform credit checks for those with access to information processing facilities.

6.1.3 Use confidentiality or non-disclosure agreements.

Ask new employees to sign confidentiality or non-disclosure agreements.

6.1.4 Use employment contracts to protect information.

Make sure employee contracts define information security responsibilities.

6.2 Provide information security training.

6.2.1 Control your information security training.

Teach employees about your security requirements.
Teach employees about their legal responsibilities.
Teach employees about your business controls.

6.3 Respond to information security incidents.

6.3.1 Report information security incidents.

Make sure that incidents are reported to management.
Develop a formal security incident reporting procedure.
Establish a formal security incident response procedure.

6.3.2 Report security threats and weaknesses.

Make sure that personnel report all information security threats.
Make sure that personnel report all information security weaknesses.

6.3.3 Control your software malfunctions.

Develop a procedure for reporting software malfunctions.
Develop a procedure for responding to software malfunctions.

6.3.4 Learn from your security incidents.

Monitor and quantify the types of security incidents.
Monitor and quantify the costs of security incidents.

6.3.5 Develop a disciplinary process.

Develop a process to discipline people who violate your security procedures.

BS17799 (BS7799) INFORMATION SECURITY STANDARD

7. Physical and Environmental Security <<< SEE MORE DETAIL

7.1 Use secure areas to protect facilities.

7.1.1 Use perimeters to protect facilities.

Use security perimeters and barriers to protect facilities.
Restrict building access to authorized personnel.

7.1.2 Use entry controls to protect secure areas.

Record the date and time visitors enter and leave secure areas.
Use physical controls to restrict access to information processing facilities.

7.1.3 Use design strategies to protect secure areas.

Design your secure areas to withstand natural and man-made disasters.
Use intruder detection systems to prevent access to secure areas.

7.1.4 Use work guidelines to protect secure areas.

Use guidelines to control the work done in secure areas.
Supervise all work performed in secure areas.

7.1.5 Use holding areas to protect secure areas.

Control the use of your organization's delivery and holding areas.
Separate delivery and holding areas from information processing facilities.

7.2 Protect equipment from hazards.

7.2.1 Safeguard your equipment.

Isolate all equipment that requires an extra level of protection.
Adopt security measures to protect your equipment.

7.2.2 Protect your power supplies.

Protect your equipment from power failures.
Protect your equipment from electrical anomalies.

7.2.3 Secure your cables.

Protect power lines from unauthorized interception or damage.
Protect communication cables from unauthorized interception or damage.

7.2.4 Maintain your equipment.

Maintain your equipment to ensure that it functions properly.
Allow only authorized personnel to service your equipment.

7.2.5 Control off-site equipment.

Make sure that all off-site use of equipment is authorized.
Take additional security measures to deal with off-site risks.

7.2.6 Control equipment disposal.

Control the disposal of old or obsolete information processing equipment.
Control the re-use of old or obsolete information processing equipment.

7.3 Control access to information and property.

7.3.1 Establish a clear-desk and clear-screen policy.

Establish a clear-desk policy to protect information processing facilities.
Establish a clear-screen policy to protect information processing facilities.

7.3.2 Control the removal of property.

Get management authorization to take equipment off-site.
Get management authorization to take information off-site.
Get management authorization to take software off-site.

ISO17799 (BS 7799) INFORMATION SECURITY STANDARD

8. Communications and Operations <<< SEE MORE DETAIL

8.1 Establish operational procedures.

8.1.1 Document your operating procedures.

Develop operating procedures that comply with your security policy.
Develop housekeeping procedures for information processing facilities.
Develop housekeeping procedures for communication facilities.

8.1.2 Control changes to facilities and systems.

Control changes to your information processing facilities.
Control changes to your information systems.

8.1.3 Establish incident management procedures.

Develop procedures to handle all types of security incidents.
Develop procedures to handle information security failures.
Develop procedures to handle confidentiality breakdowns.
Develop procedures to handle the denial of service.
Develop procedures to handle the loss of service.
Develop procedures to handle incomplete data.
Develop procedures to handle inaccurate data.

8.1.4 Segregate control over key responsibilities.

Prevent misuse of information or services by segregating duties.
Prevent unauthorized modification of information by segregating duties.
Reduce the probability of fraud by reducing the opportunity for collusion.
Supervise work more closely whenever responsibilities can't be separated.

8.1.5 Separate systems development and operations.

Separate responsibility for software development, testing, and operations.
Control the transfer of software from development and testing to operations.

8.1.6 Control the management of external facilities.

Make sure that external contractors protect your information.
Make sure that contracts define controls that contractors must use.
Make sure that contracts specify business continuity requirements.

8.2 Develop plans to provide future capacity.

8.2.1 Monitor usage and meet future requirements.

Monitor your information storage and processing resource demands.
Identify your future information storage and processing requirements.
Develop plans to ensure future storage and processing needs will be met.

8.2.2 Use acceptance criteria to test systems.

Use acceptance criteria to test new systems before they are used.
Use acceptance criteria to test system upgrades before they are used.

8.3 Protect against malicious software.

8.3.1 Detect and prevent malicious software.

Implement controls to protect your systems against malicious software.
Implement controls to detect the introduction of malicious software.
Implement controls to prevent the introduction of malicious software.

8.4 Establish housekeeping procedures.

8.4.1 Back-up your information and software.

Make regular back-ups of all essential information.
Make regular back-ups of all essential software.

8.4.2 Maintain a log of operator activities.

Make sure that operators maintain a log of their activities.
Make sure that records can confirm that files are handled correctly.
Make sure that records can confirm that output is handled properly.
Make sure that log checks are performed by an independent person.

8.4.3 Report and log system faults.

Make sure that users report all system faults.
Make sure that you log all system fault reports.
Establish rules for handling reported faults.

8.5 Safeguard your computer networks.

8.5.1 Establish network security controls.

Establish controls to secure the information in computer networks.
Establish controls to protect connected services from unauthorized access.
Establish procedures to protect systems connected to public networks.
Establish procedures to manage and control remote equipment.

8.6 Protect and control computer media.

8.6.1 Manage removable computer media.

Establish procedures to manage and control removable computer media.

8.6.2 Control the disposal of your media.

Establish procedures to control the secure disposal of computer media.

8.6.3 Control information handling and storage.

Establish procedures to control information handling and storage.

8.6.4 Protect your system documentation.

Develop controls to protect your system documentation.

8.7 Control interorganizational exchanges.

8.7.1 Develop information exchange agreements.

Establish security agreements to control the exchange of information.
Establish security agreements to control the exchange of software.

8.7.2 Safeguard the transportation of computer media.

Establish controls to safeguard the physical transportation of media.
Establish special controls to safeguard sensitive information during transit.

8.7.3 Create controls to protect ecommerce.

Establish controls to protect online transactions.
Establish controls to protect electronic data interchange activities.

8.7.4 Establish controls to protect email.

8.7.4.1 Control the use of email.

Establish controls to make email less vulnerable to tampering.
Establish controls to make email less vulnerable to unauthorized access.
Establish controls to increase the reliability of your email service.

8.7.4.2 Develop an email policy.

Ensure that policy explains how email attacks should be handled.
Ensure that policy explains how email viruses should be handled.
Ensure that policy explains how email attachments should be handled.
Ensure that policy explains when cryptographic techniques must be used.
Ensure that policy explains when email should not be used.

8.7.5 Protect your electronic office systems.

Establish policies to protect your electronic office systems and facilities.
Reduce the vulnerability of information in your electronic office systems.
Control information sharing within and between electronic office systems.
Make arrangements that allow you to continue operating when systems fail.

8.7.6 Control your public information systems.

Establish a process to authorize publication of electronic documents.
Protect the integrity of information that is published electronically.
Establish a process to control how public feedback should be handled.

8.7.7 Regulate external communications.

Establish procedures to control voice communications.
Establish procedures to control mobile phone communications.
Establish procedures to control answering machine messages.
Establish procedures to control dial-in voice-mail systems.
Establish procedures to control video communications.
Establish procedures to control fax communications.

ISO17799 (BS7799) INFORMATION SECURITY STANDARD

9. Information Access Management Control

9.1 Control access to information.

9.1.1 Develop a policy and rules to control access.

9.1.1.1 Develop a policy to control information access.

Define the business requirements that your access controls must meet.
Establish an access policy that meets your business requirements.

9.1.1.2 Develop information access control rules.

Develop rules to control access to information.

9.2 Manage the allocation of access rights.

9.2.1 Establish a user registration procedure.

Develop a procedure to control the registration and de-registration of users.

9.2.2 Control the authorization of system privileges.

Establish an authorization process to control the allocation of special privileges.
Specify which staff members should have what kind of privileges.

9.2.3 Establish a process to manage passwords.

Establish a process to manage and control the allocation of passwords.
Store your organization's passwords on a secure computer system.

9.2.4 Review user access rights and privileges.

Make sure that managers review user access rights and privileges.

9.3 Encourage responsible access practices.

9.3.1 Encourage users to protect passwords.

Make sure that password selection follows best information security practices.

9.3.2 Encourage users to protect equipment.

Make sure that users know how to protect unattended equipment.
Make sure that users understand their equipment protection responsibilities.

9.4 Control access to computer networks.

9.4.1 Formulate a network use policy.

Establish a policy to control the use of networks and network services.

9.4.2 Use enforced paths to control access.

Reduce the opportunity for unauthorized access by using enforced paths.

9.4.3 Authenticate remote user connections.

Use authentication methods to prevent unauthorized access by remote users.
Carry out risk assessments to determine what level of protection is required.
Use cryptographic methods when strong protection is required.

9.4.4 Use node authentication to control remote users.

Use node authentication methods to authenticate remote users.
Use node authentication to prevent unauthorized access to applications.

9.4.5 Control remote access to diagnostic ports.

Control access to the diagnostic ports found in computers and systems.
Use procedures and key locks to control access to diagnostic ports.

9.4.6 Segregate internal and external networks.

Segregate your internal networks from your business partners' networks.

9.4.7 Restrict connection to shared networks.

Establish controls to restrict the users' ability to connect to shared networks.
Review and update shared network connection restrictions on a regular basis.

9.4.8 Establish shared network routing controls.

Use routing controls to ensure that information flows comply with access policy.
Use routing controls to ensure that computer connections comply with your policy.

9.4.9 Verify the security of network services.

Establish a description of the security features used by each network service.
Verify the security features of all network services used by your organization.

9.5 Restrict access at operating system level.

9.5.1 Use automatic terminal identification techniques.

Use automatic terminal identification techniques to authenticate connections.

9.5.2 Establish terminal log-on procedures.

Establish terminal log-on procedures to control access to information services.

9.5.3 Identify and authenticate all users.

Assign a unique identifier (ID) to each user.
Establish controls to limit assignment of IDs to groups.
Establish authentication procedures to verify the identity of users.

9.5.4 Set up a password management system.

Make sure that password system requires the use of "good quality" passwords.
Make sure that your password management system facilitates accountability.

9.5.5 Control the use of all system utilities.

Restrict the use of system utilities that could be used to override your controls.
Define authorization levels that are used to restrict the use of system utilities.

9.5.6 Provide duress alarms to protect users.

Provide duress alarms to users who could be the target of coercion or violence.
Carry out a risk assessment to determine who should have duress alarm systems.
Develop procedures that describe how people should respond to duress alarms.

9.5.7 Use time-outs to protect inactive terminals.

Use time-outs to prevent unauthorized access to inactive terminals.
Use time-outs to prevent unauthorized access to terminals in high risk areas.

9.5.8 Restrict terminal connection times.

Reduce the opportunity for unauthorized access by limiting connection times.

9.6 Manage access to application systems.

9.6.1 Regulate access to applications and information.

Use an access control policy to control access to functions and information.
Make sure that your business requirements determine your access restrictions.

9.6.2 Isolate sensitive application systems.

Isolate your organization's sensitive application systems.
Use dedicated computers to run your most sensitive applications.

9.7 Monitor system access and use.

9.7.1 Establish and maintain system logs.

Establish information system audit logs to record exceptions and events.

9.7.2 Monitor information processing facilities.

9.7.2.1 Establish procedures to monitor facilities.

Establish procedures to monitor the use of information processing facilities.
Carry out a risk assessment to identify what level of monitoring is needed.
Monitor authorized access to your information processing facilities.
Monitor unauthorized access to information processing facilities.

9.7.2.2 Review the results of monitoring activities.

Review high risk processing facility monitoring results more often.
Review the most critical application monitoring results more often.
Review the results that monitor the use of critical information.

9.7.2.3 Study logs to identify security events.

Review logs in order to identify possible security threats and incidents.
Ensure that log reviewers are independent of the people being reviewed.

9.7.3 Protect logs by synchronizing clocks.

Protect the credibility of logs by ensuring that computer clocks are accurate.
Establish a procedure to check computer clocks and correct time variations.

9.8 Protect mobile and teleworking assets.

9.8.1 Protect mobile equipment and information.

Protect the information processed by mobile computing equipment.
Establish a policy to address the risk of using mobile computing equipment.

9.8.2 Protect teleworking equipment and information.

Secure your organization's remote teleworking sites.
Develop a policy to control teleworking activities.

ISO17799 (BS 7799) INFORMATION SECURITY STANDARD

10. Systems Development and Maintenance

10.1 Identify system security requirements.

10.1.1 Specify security controls and requirements.

Specify the security controls that new information systems must meet.
Specify the security requirements that new information systems must meet.

10.2 Build security into your application systems.

10.2.1 Build input data validation in your systems.

Build input data validation controls into your application systems.
Develop procedures to respond to data validation errors.
Define the responsibilities of all data input personnel.

10.2.2 Build processing controls into your systems.

10.2.2.1 Design processing controls to minimize risk.

Build internal processing controls into your application systems.
Ensure that processing controls can detect data corruption.

10.2.2.2 Incorporate processing checks and controls.

Incorporate internal processing checks and controls into your systems.
Ensure that checks and controls can detect and prevent data corruption.

10.2.3 Build message authentication into your systems.

Protect electronic messages by building message authentication in systems.
Assess security risks before you decide how to use message authentication.

10.2.4 Build output data validation into your systems.

Ensure that output data is correct by building data validation into your systems.
Define the responsibilities of the people who manage and process output data.
Develop procedures to interpret and respond to output validation tests.

10.3 Use cryptography to protect information.

10.3.1 Develop a policy on the use of cryptography.

Make sure that cryptography policy explains how cryptography should be used.
Make sure that cryptography policy describes general encryption principles.
Make sure that cryptography policy describes roles and responsibilities.

10.3.2 Encrypt sensitive or critical information.

Do a risk assessment to identify the level of cryptographic protection needed.
Use cryptography specialists to help you develop cryptographic solutions.
Use legal experts to ensure that you comply with cryptography laws.

10.3.3 Protect documents with digital signatures.

Use digital signatures to protect integrity and authenticity of digital documents.

10.3.4 Use non-repudiation services to resolve disputes.

Use non-repudiation services to prove that an action or event has taken place.

10.3.5 Establish a key management system.

10.3.5.1 Protect your cryptographic keys.

Establish a management system to protect your cryptographic keys.

10.3.5.2 Use secure methods to manage keys.

Make sure that your key management system uses secure methods.

10.4 Protect your organization's system files.

10.4.1 Control the implementation of software.

Control the implementation of software on your operational systems.
Maintain an audit log of all updates to operational program libraries.

10.4.2 Control the use of system data for testing.

Control the use of operational data for system and acceptance testing.
Protect operational data while it is being used for testing purposes.

10.4.3 Control access to program source library.

Prevent program corruption by controlling access to program source libraries.
Appoint a program librarian for each one of your organization's applications.
Establish change control procedures to manage program source libraries.

10.5 Control development and support.

10.5.1 Establish change control procedures.

Establish procedures to control changes to your information systems.
Segregate software testing from software development and production.

10.5.2 Review changes to operating system.

Review and test application systems whenever operating system changes.
Make sure that operating system changes do not adversely effect applications.

10.5.3 Restrict changes to software packages.

Make sure people do not modify vendor-supplied software without approval.
Test all changes to vendor-supplied software before you implement them.
Document all changes to vendor-supplied software packages.

10.5.4 Safeguard against covert channels and Trojans.

Purchase programs from reputable sources.
Inspect all source code before you use it.
Control access to code once it's been installed.
Use trustworthy staff to work on important systems.

10.5.5 Control outsourced software development.

Manage and control your outsourced software development projects.

BS17799 (BS7799) INFORMATION SECURITY STANDARD

11. Business Continuity Management

11.1 Design a continuity management process.

11.1.1 Establish your continuity management process.

Identify the risks that threaten the security of your business processes.
Estimate the likelihood that you will be exposed to security risks and threats.
Analyze the impact that serious threats could have on your business processes.
Analyze the impact that serious disruptions could have on your organization.
Formulate business continuity plans for information processing facilities.

11.1.2 Perform threat analysis and impact analysis.

Carry out a threat analysis to identify the events that could interrupt business.
Carry out a risk assessment to identify the impact that interruptions could have.
Use the results of your analyses to define your approach to business continuity.

11.1.3 Develop your business continuity plans.

Develop plans to restore and continue operations after processes have failed.
Ensure that business continuity plans assign emergency management duties.
Ensure that business continuity plans define emergency response procedures.
Teach your staff about your crisis management methods and procedures.

11.1.4 Maintain a continuity planning framework.

Establish a single framework of continuity plans to ensure consistency.
Use business continuity framework to determine plan testing priorities.
Use business continuity framework to determine plan maintenance priorities.
Amend your business continuity plans whenever new security threats emerge.
Make sure that each continuity plan specifies when each plan is activated.

11.1.5 Test and update continuity management plans.

11.1.5.1 Test business continuity management plans.

Test the effectiveness of your business continuity plans regularly.
Make sure that all business continuity plans are up-to-date.

11.1.5.2 Update business continuity management plans.

Use regular reviews to maintain the effectiveness of continuity plans.
Update business continuity plans whenever business practices change.
Update business continuity plans whenever risk factors change.
Update business continuity plans whenever facilities change.

ISO 17799 2000 INFORMATION SECURITY STANDARD

12. Compliance Management

12.1 Comply with legal requirements.

12.1.1 Identify all relevant legal requirements.

Identify all legal requirements for each one of your information systems.
Identify the controls that you need in order to comply with legal requirements.
Identify the responsibilities that must be met to comply with legal requirements.

12.1.2 Respect intellectual property rights.

12.1.2.1 Create intellectual property procedures.

Set up procedures to ensure compliance with intellectual property rights.

12.1.2.2 Comply with all software copyrights.

Develop a software copyright compliance policy.
Develop policies to control software purchases.
Maintain a registry of proprietary software assets.

12.1.3 Safeguard your organization's records.

Implement controls to protect records and information from loss.
Implement controls to protect records and information from destruction.
Implement controls to protect records and information from falsification.

12.1.4 Protect the privacy of personal information.

Comply with all relevant legislation related to the use of personal data.
Appoint a data protection officer to provide advice on personal data issues.

12.1.5 Prevent misuse of data processing facilities.

Ensure that data processing facilities are not used for non-business purposes.
Monitor the use of data processing facilities to detect unauthorized use.

12.1.6 Control the use of cryptographic controls.

Ensure that use of cryptographic controls complies with all legal requirements.

12.1.7 Collect evidence to support your actions.

12.1.7.1 Comply with appropriate rules of evidence.

Collect evidence to support potential legal actions.
Collect evidence to support potential disciplinary actions.
Develop procedures that specify what kind of evidence is needed.
Make sure that your evidence will comply with legal rules of evidence.

12.1.7.2 Gather evidence that is admissible in court.

Ensure that your evidence would be admissible in a court of law.
Ensure that your information systems can produce legal evidence.

12.1.7.3 Protect the quality of your evidence.

Establish a strong trail of evidence whenever an illegal incident occurs.
Protect your evidence whenever a potentially illegal incident occurs.

12.2 Perform security compliance reviews.

12.2.1 Review compliance with security policy.

Review how well your organization follows its own security policies.
Review how well your organization follows its own security procedures.
Review how well your organization complies with official security standards.

12.2.2 Review technical security compliance.

Check systems to ensure compliance with technical security standards.
Carry out penetration tests to detect information security vulnerabilities.

12.3 Carry out operational system audits.

12.3.1 Plan the audit of operational systems.

Plan operational audit activities in order to minimize disruption.
Log all access to operational systems in order to product a reference trail.
Perform regular audits of your operational systems.

12.3.2 Protect your system tools.

Protect your system audit tools to prevent any possible misuse of these tools.
Segregate your system audit tools from operational and development systems.

ISO 17799 2000 INFORMATION SECURITY STANDARD

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you keep intact
all copyright notices, you are also welcome to print or make one copy of this
page for your own personal, noncommercial, home use. But, you are not
legally authorized to print or produce additional copies, or to copy and paste
any of our material onto another web site. If you would like to purchase our
material, please contact our Sales Desk. Our staff would be very pleased to
take your order or to answer any questions you might have.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
developing this electronic publication. We make no representation or warranties
with respect to accuracy or completeness of the contents of this publication and
specifically disclaim any implied warranties or merchantability or fitness for any
particular purpose and shall in no event be liable for any loss of profit or any
other commercial damage, including but not limited to special, incidental,
consequential, or other damages.


Home Page	Table of Contents	Alphabetical Index	Site Map

How to Order	Our Products	Our Prices	Our Guarantee

ISO IEC 17799 2000*

INFORMATION SECURITY STANDARD

TRANSLATED INTO PLAIN ENGLISH