803: Reference Material
Information Security Policies & Procedures Manual
Section 800: Awareness and Training
The ISO 27000 series of standards have been specifically reserved by ISO for information security matters and will be populated with a range of individual standards and documents. The following series is currently planned or already published:
ISO 27001 – Specification for an information security management system (ISMS).
ISO 27002 – Potential new standard for existing ISO 17799, which is a code of practice for Information Security.
ISO 27003 – New standard for guidance on the implementation of an ISMS.
ISO 27004 – New standard for information management measurement and metrics.
ISO 27005 – New standard for information risk management.
ISO 27006 – New standard to provide guidelines for the accreditation of organizations offering ISMS certification.
From www.isaca.org/cobit: COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
OUS Internal Audit will be using COBIT as their auditing standard for Information Security.
Formally adopted by the Board of Higher Education in June 2007, the Oregon University System Information Security Policy has been incorporated as OAR 580-055-0000 and is available at:
This policy identifies eight areas where policies and procedures are required to be adopted by each institution in the system and contains some minimum requirements for each area. This manual is organized to address all eight areas.
Passed by the 2007 Oregon Legislature as Senate Bill 583 and signed into law by the Governor, this law requires entities who collect “personal information” on Oregon residents to adopt administrative and technical safeguards to protect it. It also requires notification in the event of a security breach involving this information. More information can be found at: