What is ISO 17799, ISO 27000, PCI Credit Card Standard

For my System Security class we get to learn about ISO 17799, ISO 27000, and the PCI Credit Card Standard. When I first started looking up information about 17799 and 27000 I was a bit overwhelmed and confused by the information that is out there on the web. I felt much like I was trying to memorize a chart like this:
Now I understand a bit better why there are so many software applications and business built around helping other businesses become compliant with these security standards.

So what are the ISO 17799, ISO 27000, and PCI Credit Card Standards?
They are a set of standards set forth by the International Organization for Standardization to ensure that consumer and customer data is kept safe. The ISO.org site says that the 17799 “contains best practices of control objectives and controls in the following areas of information security management:

security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management,  business continuity management, compliance.

In simple terms this means that businesses and organizations need to:

  • Make rules to protect their stuff and your data
  • Actually protect their stuff and workers
  • Keep others from stealing from them
  • Keep things maintained and running well
  • Keep the business running smoothly for customers
  • Make sure they are doing everything on this list correctly

I found it funny that the 17799, according to Wikipedia, is a word-for-word copy of the British Standard 7799-1. The 17799 was updated and renamed to 27002 to keep it up to date and grouped with similar documents numbered in the 27000 domain.

You can download the official ISO 2700 document from the iso website if you’re so inclined to read it or need it.

PCI Credit Card Standard

The PCI Credit Card Standard is a document outlining a standard to ensure that businesses that are taking credit card payments meet a minimum standard to ensure the safety of their customers and the associated data. The current standard covers 6 areas:

  • Have secure network
  • Keep data safe
  • Keep system up to date and secure
  • Good passwords & other access restriction measures
  • Watch network for failure and intrusion
  • Have a plan

What’s interesting to me about the PCI credit card standard is that it isn’t issued by a organization that has multi-national participation. It is run and enforced by the major credit card companies. If vendors aren’t compliant then the credit card holder is vulnerable and that isn’t good for the main credit card company because their customer will get hurt. In order for the credit card company to keep their good name and customers, they have set up a standard in hopes that their customers and money will be more protected. If a vendor isn’t compliant then the credit card company often fines or quits doing business with the vendor completely.

I think security standards are good in the fact that they push those who don’t care or who aren’t thinking about security, to do something about it. The downside to having security standards is that it creates an easy resting place for companies. It makes it easier for them to say, “I’m compliant so I don’t have to do any more than this”.  I think they can also misguide sometimes if the group making the standard focuses on a risk is in one place but an even greater risk ends up getting less attention.


This post is for a school assignment and I do not claim to be an expert by any means. I was assigned a topic I knew nothing about and tried to make sense of it and share what I learned in simple terms.



Published by


I am a Geek! I hope you enjoyed this recent post.

2 thoughts on “What is ISO 17799, ISO 27000, PCI Credit Card Standard”

  1. Mike,

    I think that this is a fairly good overview of a few of the security standards out there. They are really there to give organizations a framework to work within when building a security program, and help those companies make sense of, and plan for, security.

    The government has other similar standards (SP800-53, FISMA, etc) that govern how government agencies protect their data (I know from experience), and any regulated company is subject to some standard or another.

    Standards ARE good, in that they create an ideal – the things you should include in a security program. You are quite correct in that their major drawback is that they also tend to promote a “checkbox” mentality in the organizations that adopt them. The “checkbox” mentality is one in which things are done so that you can mark off the appropriate checkbox, and not because of a desire to improve security. Because of that, it’s often done half-heartedly, or worse – sloppily.

    Companies that are regulated (or do business with the government) will do as little as possible to meet their security obligations. The reason for that is simple economics (doing more costs money, and there’s no impetus for them to do more). Until that changes, and there are motivators driving organizations to focus on actually securing their data/network/systems, this is unlikely to change. An organization often must feel the pain of NOT properly managing security in order for them to start managing security properly.

    I’m being a little too long winded here, so I’m sorry for that.

    Overall – great post!

    (I work in Infosec, and have been a systems security officer for a government contractor, so speak from experience)

Comments are closed.