The advantages of compliance to the SANS/ISO 17799 Standard
- Reduce the risk of losing valuable company information, and giving your
competitors an unfair advantage.
- Reduce the legal risks associated with information technology;
a. Delictual liability for loss of third-party or personal information
b. control the liabilities associated with the employee behavior, including
inadvertent contracting, inappropriate use of Web-based resources
c. Show best practice when confronted with claims for vacariouse liability
for employee behavior, for example employees using unlicensed software, employees
breaching copyright or employees engaging in the illegal file sharing activities.
d. Delictual liability for loss caused the third parties by malicious software
e. Ensure policies are in place for disciplining employees for inappropriate
behavior with respect to information technology.
f. Ensure you have contractual controls to stop cyber crime and information
g. Ensure you have contractual controls over third parties who may have access
to your system
h. Reduce the risk of embarrassing or defamatory company information being
- Show "corporate good governance", specifically with reference
to the King 2 report, where information security was outlined as a management
or board responsibility.
- Ensure that all electronic data is stored in your systems in such a way
as it can be used for evidential purposes in either litigation or with respect
to employment disputes. (In terms of the Electronic Communications and Transactions
act 25 of 2002)
- Ensure that all company records are stored so as to comply with various
legislation requirements, such as the companies act. (Document retention and
- Ensure the company complies with the (provisional) Data Protection Bill,
that should be enacted later this year
- Giving the company a comparative advantage when supplying too organisations
or companies that also wish to comply with information security standards.
This is specifically relevant to parties wishing to supply to the South African
Government and all Government Departments as Government has made a commitment
to compliance to this standard.
- Giving the company a comparative advantage when dealing with European based
companies, because of the European Directive on Data Protection which states
is such companies may only outsource data processing where it involves personal
information or similar to companies that can show "adequate security".
- Reduce the risk of data corruption, or "incorrect data input"
which could lead to company embarrassment, poor customer service or potential
- Ensure that adequate disaster recovery mechanisms have been put into place.
And show "best practice" with regards to limiting liability towards
third parties should a disaster occur.
- Ensure that all legal obligations in this area are adequately complied to.
- Ensure that Information Security Management is practiced throughout the
company, and is done so in a holistic manner, including physical security,
personnel security, IT security and so forth.
08 Sep 2004
This article is intended to provide general guidance and does not constitute professional advice relating to specific instances. Should you wish to place any reliance on the information presented in this article we strongly advise that you consult your legal advisor or the Electronic Law Consultancy - firstname.lastname@example.org