The Standard has historically been organized into six categories, or
aspects.
Computer Installations and
Networks address the underlying
IT infrastructure on which
Critical Business Applications run. The
End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals.
Systems Development deals with how new applications and systems are created, and
Security Management addresses high-level direction and control. The Standard is now primarily published in a simple "modular" format that eliminates redundancy. For example, the various sections devoted to security audit and review have been consolidated. The six aspects within the Standard are composed of a number of
areas, each covering a specific topic. An area is broken down further into
sections, each of which contains detailed specifications of
information security best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification No. 2 within that section. The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the
principles (which provide an overview of what needs to be performed to meet the Standard) and
objectives (which outline the reason why these actions are necessary) for each section. The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information. ==See also==