• Training news
  • 2009 news archive
  • 2008 news archive
  • 2007 news archive
  • 2006 news archive
  • 2005 news archive
  • 2004 news archive
  • 2010
  • 2011
  • 2012

• Bookmark and share
  • Technorati favourite
  • Delicious
  • Digg
  • Reddit
  • Facebook
  • Stumble Upon

• Recent pages
  • Microsoft Windows Server
  • What's new in Microsoft ISA Server 2004?
  • Firefox downloads hit one billion mark
  • Microsoft Visual Studio
  • Social networking - a security time bomb?

Information Security Management System - BS 7799

One of our instructors returns from an official British Standards Institute course for IT security standard 7799 - and shares his experience of the accreditation process.

25 August 2004

e-academy instructor Stuart Aiken has just returned from an official British Standards Institute (BSI) course for IT security standard 7799 - which culminated in him passing the examination for lead auditor status. We thought it worth sharing his experiences, via a review of what an organisation has to do in order to achieve this new (and highly respected) standard.

Starting with its potential weak points, it is worth noting that much as BSI would probably have liked international agreement, the standard has not (as yet) been ratified by the International Standards Organisation (ISO): the ISO in progress is 17799. That said, BSI has built an enviable reputation in the field of setting concise, quantifiable, robust and reviewable industry standards - so much so that their portfolio is widely adopted throughout the world.

So what of the BS 7799?

In essence, BS 7799 consists of two parts: clauses and conditions:

Part one - Information Security Management System (ISMS) - Specifications BS 7799-2:2002

The clauses consist of:

4 - Information Security Management System (ISMS)

5 - Management responsibility

6 - Management review of the ISMS

Annex A - Control objectives and controls

Annex B - Guidance on use of the standard

Annex C - Correspondence between previous clauses Part two - information technology - code of practice for information security management - BS ISO/IEC 17799:2000, BS 7799-1:2000 The conditions consist of:

1 - Scope

2 - Terms and definitions

3 - Security policy

4 - Organisational Security

5 - Asset classification and control

6 - Personnel security

7 - Physical and environmental security

8 - Communications and operations management

9 - Access control

10 - Systems development and maintenance

11 - Business continuity management

12 - Compliance

In keeping with their other standards, BSI keeps a fairly tight grip on training courses and consultant lists - but does work closely with the International Register of Certificated Auditors (IRCA) when it comes to the actual auditing of those companies which wish to attain BS 7799 (part 2) accreditation.

There are six steps to achieving registration to BS 7799 with BSI.

Step 1 - Establish a management framework.

Step 2 - BSI will then provide an estimate of costs and timescales for formal assessment.

Step 3 - Submit a formal application to BSI.

Step 4 - BSI will undertake a desktop review of the risk assessment, policy, scope, statement of applicability and procedures. This will identify any weaknesses and omissions in the company's information management system which need to be resolved.

Step 5 - BSI will then conduct an on-site assessment and make recommendations.

Step 6 - On successful completion of the audit, a certificate of registration is issued - which clearly identifies the scope of the Information Security Management System.

This certificate remains valid for three years and is supported by routine assessment visits throughout.

To summarise, the main areas to address, if your company is intending to pursue formal certification, are as follows:

1. Security policy - a management signed-off document, to enforce commitment to the information security (IS) management system process.

2. Security organisation - a framework to initiate and manage IS provision.

3. Asset registration and control - an inventory of IS items that will require protection.

4. Personnel security awareness - training, coupled with well defined job descriptions which outline staff security roles and responsibility.

5. Physical and environmental security - clear guidelines of the security requirements and implementation for your premises and personnel within it.

6. Communications and operations management - ensure the IS plan and systems are well documented and transmitted, to facilitate smooth operation and compliance.

7. Access control - the protection and control of IS across the whole network infrastructure.

8. Systems development and maintenance - ensure that IT projects and application development are conducted in a secure manner, encrypted and tested in isolation where appropriate.

9. Business continuity management - development and maintenance of a business continuity plan (BCP) to include rehearsal where appropriate (litmus test question: how long can your IS be off-line or compromised before you have no business base to re-start?).

10. Compliance - a demonstration of commitment to meet (or surpass) and maintain statutory and regulatory IS requirements.

Lest we forget, there are other IS security standards such as COBIT (generic) and the Sarbanes-Oxley Act (mainly for the accounting industry) to name but two.

Recent high profile IS breaches, coupled with the high intrinsic value of information, are highlighting an ever increasing need for organisations to protect (and be seen to be protecting) their IS systems, using a controlled systematic approach covering people, processes and IT systems, whichever standard they choose to adopt.