Introduction to BS ISO/IEC 17799: Policy, ISMS and Awareness | Day one of this course begins with a general introduction and overview of ISO-17799 and some other comparable standards and then proceeds very quickly to address the how-to. Specifically, on this day you will walk through (at a somewhat high level) the twelve steps outlined by ISO-17799 and see how to Plan, Do, Check and Act. Further, you will learn about SANS own version of PDCA which actually extends the ISO-17799 methodology, giving you a strategy for attacking the rollout issues that you will face under ISO-17799. As the day progresses, there will be hands-on policy writing and analysis exercises, and information will be presented on how to create, administer and audit an effective awareness program and how to design the Information Security Management System. Perhaps the most important part of the day is the last section, How To Get There From Here, where all of the concepts from the day are tied together into an easy to use checklist.

The second day of the ISO-17799 Implementation Track deals with a variety of personnel and issue-specific security topics. The object of the material covered on this day is to apply the policy creation techniques from day one to specific areas of the organization as they apply to employees and co-sourced individuals. This day will also spend time covering business impact analysis methodology in relation to risk mitigation through policy and education while simultaneously examining possible process improvements and how they can be applied to the 7799 controls.

Day three of the ISO-17799 implementation track continues with coverage of the 7799 controls described in part 2 of the standard, covering access controls, user access management, remote access controls and network device security from the point of view of incident planning and handling. Time will be spent explaining how to measure the core competencies within the organization and identifying the best ways to handle security incidents in terms of fully defining the incident handling policy and staffing the incident-handler teams. This topic leads naturally to the discussion of business continuity planning and business continuity management. To better define the actual controls that are put into place operationally, much of the day will be spent covering a variety of technical topics.

Day four will complete the three day discussion of each individual control in the audit criteria for 7799, continuing to describe key controls, explain them, discuss implementations and possible process improvements. We will address the issues surrounding continuous improvement of the methods used to develop security competency at both the organizational and personal level. These include personal security competency development, coaching and continuous workforce security innovation.

While the first day of the course mentioned risk at a high level and presented a very simple risk analysis framework, this portion of the course focuses exclusively on risk analysis and risk management and relates them to compliance and audit controls. A variety of risk analysis strategies will be evaluated and compared, including basic methods, detailed methods, paper methods, and software based approaches. We will analyze risk trees and use them to determine what falls in or out of the scope of a particular analysis and relate all of these to the creation of strong preventative controls. The control measures that we will use in class come directly from the BS 7799 or ISO 17799 part 2 specifications.

The last day of the ISO-17799 Implementation Track is devoted completely to the hands-on construction of an ISMS in the classroom. The instructor acts as the CEO and the ISO at various points in the day, organizing the class into various committees. The instructor will provide a real world business example, which will be used for the definition of the ISMS throughout the day. After the steering committee generates some initial control statements, the individual committees will work to create simple high- level policies that will be reviewed periodically throughout the day. Exercises in risk analysis and mitigation will be presented as problems are discovered during the course of development. After this day, you will have real experience working in an ISO-17799 initiation environment and be well equipped to tackle the task when you get back to your office!