|Why should one comply?|
Compliancy is not mandatory, considering that there are 148 controls this is just as well.
Before embarking on the route to compliance an organisation needs to consider the following:
On completion of this analysis, most organisations will find that they do not require full BS7799 compliancy to run their business more securely; however there may be a desire to achieve compliancy in specific areas.
- Understand the extent of the controls outlined in BS7799
- Determine which controls relate to your business
- Weigh up the benefits to your business against the time and expenditure required in achieving compliancy
- Legal requirements of your business if any
- Regulatory requirements if any
- Structure of your organisation
Evidence and justification must be given for excluding any of the control objectives set out in the standards documentation. The evidence should be derived from the risk assessment stage, where it can be proved that due to the nature of your business the risks identified within specific control areas are of no consequence to your business and as a result the implementation of these specific controls are redundant.
Whilst it might not be necessary for the majority of organisations to achieve compliancy or certification, there are several good reasons for both:
What is required to achieve compliancy?
- Industry “best practice for security”
- Increase the level of information security within your organisation
- Good security practice
- Encourages trust
- Once compliant better work practice
- Good marketing
- Working with government agencies and health authorities
- Working with third parties who are already compliant
- If your business subject to DPA regulations, then BS7799compliance will enforce your organisations practice of “due diligence”
The first step to compliancy requires an organisation to establish and maintain a documented Information Security Management System (ISMS).
Compliancy with BS7799 requires an organisation to follow six steps:
- The organisations assets to be protected
- Organisations approach to risk management
- Control objectives and controls
- Degree of assurance required by the organisation
Step1: Define the organisations information security policy
Step 2: Define the scope of the ISMS, going through the controls outlined in BS B7799-1:2000 an organisation will need to decide which controls are suitable for assessment within their organisation. The outcome of the selected controls will be dependent on: the business requirement, the assets to be protected, location and the technology.
Step 3: Risk assessment: The aim of the assessment is to identify the threats and vulnerabilities to assets and the impacts to the organisation. The results of this will determine the degree of risk.
Step 4: Risk management, the areas of risk to be managed are identified by the information security policy and the degree of assurance required by the organisation.
Step 5: Selection of the controls detailed in clause 4 of the BS7799-1: 2000 to be implemented and the objectives of these controls. Justification for the selections made must be provided.
Step 6: Statement of applicability: An organisation will need to document the selected control objectives and controls, the reasons for selection and justification for the exclusion of any of the controls listed in clause 4.
Figure 1: Six Major steps towards BS7799-2 Compliance
Should one Certify?
The decision to certify is subjective. It is important to realise that as with compliance, it is not mandatory to achieve certification. Once an organisation believes that, they have achieved the following:
Then they can apply for certification, which entails an audit of the implemented ISMS by a qualified and accredited BS7799 assessor.
- Defined the scope of the ISMS
- Documented and implemented the ISMS in accordance with the control objectives set out in clause 4 of the standards documentation
- Provide justification if required of any exclusions
The task of certification is an arduous and continuous process that should be considered carefully. Once certification has been achieved, it has to be maintained, which entails periodic reviews, site visits by a BS7799 assessor and recertification every 3 years.
As a result an organisation should analyse the benefits specific to their
business that certification will bring.
In addition to the benefits obtained through compliance, certification also offers the following additional benefits:
It is worth noting that certification is not full proof, i.e. the certification does not suddenly give your organisation a “hacker proof” seal. However, it does show that you have taken all the necessary precautions required to minimise the risks to your business.
- Credibility and confidence
- Compliance: with relevant laws and regulations
Not every organisation needs to go down the certification route, however, by using BS7799 as a guideline by which you manage the risks to your business, you will be fulfilling your fiduciary responsibilities as an organisation in the protection of your company’s assets.
What is required for certification?
In order to reach certification, you must first achieve compliancy as set out in the “what do I need to do to comply” section. Once this has been achieved, the certification process requires an external review of by a BS7799 accredited assessor.
The assessor will work for a certified body such as BSI assessment services Ltd; they will audit your organisations ISMS in line with the controls set out in Clause 4. On successful completion of the audit, your organisation will be awarded the BS7799-2 certificate.
The certificate will detail the scope of your ISMS and your statement of applicability.
Major Control areas required for certification There are 148 controls in total, the list below highlights the major control areas. Any exclusion of the following control objectives from your defined ISMS must be justified and evidenced during the risk assessment phase. These exclusions should be documented in your statement of applicability.
A full list of the detailed controls can be purchased on-line on the BSI web siteat. http://www.BSI-global.com.
Read the Full Article
About the Author:
Trinity Security Services (Trinity) is a leading independent information security solutions and services provider. Customers include a range of FTSE 250 customers across UK and Europe
Trinity provides its customers with market leading expertise, delivering solutions ranging from the technical such as IDS, VPN and E-commerce, to strategic services including security policy and procedure development.
Read this newsletter at: http://www.itmanagementnews.com/2004/0304.html