[security-awareness] New Version of ISO 17799 Released

———- Forwarded message ———-
From: laurahamp 
Date: Jun 17, 2005 6:46 AM
Subject: [security-awareness] New Version of ISO 17799 Released
To: security-awareness@yahoogroups.com
A quick heads up that the new release of the security standard, ISO
17799, has this week been published. From the 17799 Newsletter:

The official revision of ISO/IEC 17799 is now available (June 2005).
This new version has been in process for several years, and introduces
a number of siginificant changes to ISO 17799. The old version,
originally published in December 2000, has been withdrawn with
immediate effect.

The new standard now contains 11 'core' chapters, as opposed to 10,
with existing chapters being renamed and re-organized. The new chapter
format is as follows:

1) Security Policy
2) Organizing Information Security
3) Asset Management
4) Human Resources Security
5) Physical and Environmental Security
6) Communications and Operations Management
7) Access Control
8) Information Systems Acquisition, Development and Maintenance
9) Information Security Incident Management
10) Business Continuity Management
11) Compliance.

The new version of the standard also introduces controls to address a
range of issues not previously covered. These include topics such as
outsourcing provision and patch management. Equally, other areas have
been substantially extended or re-shaped, such as employment
termination, and mobile/distributed communication.

In addition to the content itself, several steps have also been taken
to enhance the "user friendliness" of the standard. The standard has
also been normalized to position itself to sit more comfortably
alongside related security standards in the future.

The following official outlet (BSI) has been updated to provide copies
of the new standard (as opposed to the old):

The ISO 17799 Toolkit, the standard's support and starter kit, has
also been updated to include the new version:

For further information see the ISO 17799 Newsletter archive site at:

I hope this is of interest.


Yahoo! Groups Links


This is an overview of the DIACAP’s final draft. 

The DIACAP includes the same things that the DITSCAP has with two major differerences: netcentric environments and GIG standards. With these two (and MANY other changes) it seems that this evolution of the DITSCAP has to take place. So many major levels of Information Assurance in the DoD and abroad have changed that DITSCAP will have to embrace them to stay relevant.

The DIACAP policies will come from DoD Directive/Instruction 8500.01E/.2. [fixed 22 Aug 07]

The DIACAP supports Information Systems transitioning to netcentric environments and GIG Standards by:

  1. Ensuring uniformity of approach
  2. Managing and disseminating Information Assurance Design, implementation, validation, sustainement and approach
  3. Being able to handle differing system
  4. facilitating a dynamic environment

Information Assurance will be implemented with Information Assurance Controls as defined by DoDI 8500.2 and maintained through a DoD wide configuration management process that considers the GiG architecture and risk assessments conducted at the DoD component level in accordance with FISMA.

The DIACAP will support the ongoing validation to maintain the Information Assurance posture of an Information System. DoD component IA Programs are the primary method of supporting the DoD Information Assurance Program.

Status of all systems in the DIACAP program will be available to all who have authorized access.

1 4 5 6