【正文】 agement and applicable for most anizations. They are explained in more detail below under the heading 170。 b) The realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the anization or individual information systems. It is important to carry out periodic reviews of security risks and implemented controls to: a) Take account of changes to business requirements and priorities。 b) Integrity: safeguarding the accuracy and pleteness of information and processing methods。Information Security Management BS 77991:1999 Part 1: Code of practice for information security management Foreword This part of BS 7799 has been prepared under the supervision of the BSI/DISC mittee BDD/2, Information security management. It supersedes BS 7799:1995, which is withdrawn. BS 7799 is issued in two parts: ? Part 1: Code of practice for information security management。 ? Part 2: Specification for information security management systems. BS 77991 was first issued in 1995 to provide a prehensive set of controls prising best practices in information security. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and merce, and to be used by large, medium and small anizations. The term anization is used throughout this standard to mean both profit and nonprofit making anizations such as public sector anizations. The 1999 revision takes into account recent developments in the application of information processing technology, particularly in the area of works and munications. It also gives greater emphasis to business involvement in and responsibility for information security. Not all of the controls described in this document will be relevant to every situation. It cannot take account of local system, environmental or technological constraints. It may not be in a form that suits every potential user in an anization. Consequently the document may need to be supplemented by further guidance. It can be used as a basis from which, for example, a corporate policy or an interpany trading agreement can be developed. As a code of practice, this British Standard takes the form of guidance and remendations. It should not be quoted as if it were a specification, and particular care should be taken to ensure that claims of pliance are not misleading. It has been assumed in the drafting of this standard that the execution of its provisions is entrusted to appropriately qualified and experienced people. Annex A is informative and contains a table showing the relationship between the sections of the 1995 edition and the clauses of the 1999 edition. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. What is information security? Information is an asset which, like other important business assets, has value to an anization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected. Information security is characterized here as the preservation of: a) Confidentiality: ensuring that information is accessible only to those authorized to have access。 c) Availability: ensuring that authorized users have access to information and associated assets when required. Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, anizational structures and software functions. These controls need to be established to ensure that the specific security objectives of the anization are met. Why information security is needed Information and the supporting processes, systems and works are important business assets. Confidentiality, integrity and availability of information may be essential to maintain petitive edge, cashflow, profitability, legal pliance and mercial image. Increasingly, anizations and their information systems and works are faced with security threats from a wide range of sources, including puterassisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as puter viruses, puter hacking and denial of service attacks have bee more mon, more ambitious and increasingly sophisticated. Dependence on information systems and services means anizations are more vulnerable to security threats. The interconnecting of public and private works and sharing of information resources increases the difficulty of achieving access control. The trend to distributed puting has weakened the effectiveness of central, specialist control. Many information systems have not been designed to be secure. The security that can be achieved through technical means is limited, and should be supported by appropriate management and procedures. Identifying which controls s