Scope
This Standard is complimentary to AS/NZS 7799.2:2003, Information security management - Specification for information security management systems and HB 231:2004, Information security risk management guidelines.

Application
Information is a vital asset in any organization. The protection and security of information is of prime importance to many aspects of an organization's business. It is therefore important that an organization implements a suitable set of controls and procedures to achieve information security and manages them to retain that level of security once it is achieved.

This Standard is intended for use by managers and employees who are responsible for initiating, implementing and maintaining information security within their organization and it may be considered as a basis for developing organizational security standards.

A comprehensive set of controls comprising the best information security practices currently in use is provided in this Standard. This guidance is intended to be as comprehensive as possible. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce and can therefore be applied by large, medium and small organizations.

With increasing electronic networking between organizations there is a clear benefit in having a common reference document for information security management. It enables mutual trust to be established between networked information systems and trading partners and provides a basis for the management of these systems between users and service providers.