BS7799 is the UK national standard for best practice in information security derived from the International Standard ISO/IEC 17799:2000. This standard comes in two parts and replaces BS 7799-1:1999 which has now been withdrawn.
BS 7799-1:1999 was originally a proposal submitted by a Technical committee of UK organizations for an international standard on Information Security Management. During the feedback phase of the development, it was agreed that the international standard would be a single part standard until further developments were produced. For the purposes of implementing this in the UK, the British Standard has been dual numbered in two parts as follows:
a) BS ISO/IEC 17799:2000 - UK implementation of the international standard
b) BS 7799-1:2000 - Retention of the original British Standard identifier
As part of the implementation in the UK a National Annex (NA) informative has been produced to enable users of the existing British Standard BS 7799-1:1999 to identify the changes between it and BS ISO/IEC 17799:2000. Trinity Security Services offer a conversion consultancy service to enable existing organizations who hold the accreditation to adapt to the path of the new and updated standard.
“BS ISO/IEC 17799 provides a comprehensive set of controls comprising best practices in information security. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations.“
- Definition of Standard as extract from Actual standard – Section 1 Introduction: National Foreword
BS7799 is therefore a standard code of practice that provides an organisation with default guidelines on the types of security controls an organisation should implement to safeguard their assets. It is a specification of standards for the planning, implementation and review of a complete Information Security Management System (ISMS) based on the following generic methodology:
This methodology guides an organisation on the necessary steps required in establishing a management framework, it encompasses the people, the IT system and the processes within your organisation. The ISMS requirements aim is to achieve the following:
Identify the assets to be protected
Define an organisations approach to risk management
Define and identify the control objectives and the controls
Define the degree of assurance required
The controls as defined in BS 7799-1:2000 clause 4 are:
Asset classification and control
Physical and environmental security
Communications and operations management
Systems development and maintenance
Business continuity management
Compliance to avoid any breaches of criminal and civil law
Why is there so much fuss about BS7799 now?
The majority of the hype today is largely due in part to the publicity that the information security market has gained in recent years. There have been increasingly high profile cases of information security breaches and this has led to an increased focus on counter strategies. As the economy has started to show signs of recovery, budgets are also being made available for investment in better security measures.
Usually security guidelines and controls were the domain of the public sector not the private sector. Most private sector companies in previous years would only have put their organisations through information security compliance if they were doing business with certain areas of the public sectors that required this.
However, the way in which business is transacted now, is inherently more dynamic and faster paced. As a result, technologies such as PKI and encryption, which were once solely the domain of government bureaus, are now becoming a big part of the commercial playground.
The identification and the valuation of assets now have to be re-considered by business managers. “Knowledge is power” as a result business managers in the “know” know that in order to retain this power, they need to safeguard their information. In order to justify the importance that is placed on this information, the value must be translated into monetary terms.
Once the monetary value of an organisations information assets are realised, business managers soon become aware that they need to do more to safeguard their assets. As dynamic information exchange becomes the norm for organisations to conduct business, businesses managers are forced to take greater responsibility.
With the advent of the (Data Protection Act) DPA-1998 information asset owners need to ensure that they fulfil their fiduciary duties and be seen to be exercising due diligence in the protection of their organisations information assets.
BS7799 is one of the few if not the only method that specifically addresses the protection of information. It provides detailed guidelines on how a secure management framework should be implemented.
About the Author: Trinity Security Services (Trinity) is a leading independent information security solutions and services provider. Customers include a range of FTSE 250 customers across UK and Europe
Trinity provides its customers with market leading expertise, delivering solutions ranging from the technical such as IDS, VPN and E-commerce, to strategic services including security policy and procedure development.
Read this newsletter at: http://www.itmanagementnews.com/2004/0301.html