ISO/IEC 17799:2005 and the ISO/IEC 27000:2014 Series
The material in this appendix is taken from the ISO (International Organization for Standardization) web site sections pertaining to information security. I have included it as a convenient compliance resource because it is referred to in Chapter 8 and other places throughout the book and is highly regarded. Having said that, its inclusion is more for completeness than for any significant contribution to web application security vulnerability knowledge. Even the most closely related ISO standards do not go into detail about web application security.
Specifically, this appendix includes summary outlines of the ISO/IEC 17799:2005 guidelines and the ISO 27000:2014 family of standards. Of the subject material published by the ISO, ISO/IEC 17799:2005 is the most closely related to web application security. The ISO/IEC 27000:2014 series is a family of standards useful for security framework planning.
ISO/IEC 17799:2005
As a quick point of reference, I have included an outline of the most current contents of ISO/IEC 17799:2005. Although it does not include any specific reference to web application security, this standard is an important set of guidelines and best practices. As such, it is not technical and is technology agnostic.
Note For detailed information on ISO/IEC 17799:2005, please visit the ISO information technology page for “Security techniques – Code of practice for information security management” at www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=39612.
The topics covered by ISO/IEC 17799:2005 include the following:
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development, and maintenance
- Information security incident management
- Business continuity management
- Compliance
The ISO/IEC 27000:2014 Series
The ISO also publishes several other IT security guidelines. These guidelines are most useful for security framework planning, though they are not specifically focused on web application security. This section includes a summary outline of the ISO information technology guidelines for “Security techniques: Information security management systems.”
Note For detailed information on the ISO 27000:2014 series, see the following page:www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=63411.
The ISO 27000:2014 family of standards includes:
- ISO/IEC 27000, Information security management systems — Overview and vocabulary
- ISO/IEC 27001, Information security management systems — Requirements
- ISO/IEC 27002, Code of practice for information security controls
- ISO/IEC 27003, Information security management system implementation guidance
- ISO/IEC 27004, Information security management — Measurement
- ISO/IEC 27005, Information security risk management
- ISO/IEC 27006, Requirements for bodies providing audit and certification of information security management systems
- ISO/IEC 27007, Guidelines for information security management systems auditing
- ISO/IEC TR 27008, Guidelines for auditors on information security controls
- ISO/IEC 27010, Information security management for inter-sector and inter-organizational communications
- ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
- ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
- ISO/IEC 27014, Governance of information security
- ISO/IEC TR 27015, Information security management guidelines for financial services
- ISO/IEC TR 27016, Information security management — Organizational economics