BS7799 Compliancy And Certification

Trinity Security Services Expert Author Article Date: 2004-02-24

What is Compliancy?

Compliancy with BS7799 requires an organisation to have implemented and documented their Information Security Management System (ISMS) in accordance with the control objectives set out in the BS7799-1:2000 documentation.

What is Certification?

BS7799 certification provides evidence and assurance that an organisation has complied with the control objectives set out in the standards documentation. Certification outlines the scope of an organisations ISMS, and any exclusions to the control objectives.

This is verified by an independent assessor who will perform an audit inaccordance with the controls set out in BS7799-1:2000.

Why should one comply?

Compliancy is not mandatory, considering that there are 148 controls this is just as well.

Before embarking on the route to compliance an organisation needs to consider the following:

  • Understand the extent of the controls outlined in BS7799

  • Determine which controls relate to your business

  • Weigh up the benefits to your business against the time and expenditure required in achieving compliancy

  • Legal requirements of your business if any

  • Regulatory requirements if any

  • Structure of your organisation

  • On completion of this analysis, most organisations will find that they do not require full BS7799 compliancy to run their business more securely; however there may be a desire to achieve compliancy in specific areas.

    Evidence and justification must be given for excluding any of the control objectives set out in the standards documentation. The evidence should be derived from the risk assessment stage, where it can be proved that due to the nature of your business the risks identified within specific control areas are of no consequence to your business and as a result the implementation of these specific controls are redundant.

    Whilst it might not be necessary for the majority of organisations to achieve compliancy or certification, there are several good reasons for both:

  • Industry "best practice for security"

  • Increase the level of information security within your organisation

  • Good security practice

  • Encourages trust

  • Once compliant better work practice

  • Good marketing

  • Working with government agencies and health authorities

  • Working with third parties who are already compliant

  • If your business subject to DPA regulations, then BS7799compliance will enforce your organisations practice of "due diligence"

  • What is required to achieve compliancy?

    The first step to compliancy requires an organisation to establish and maintain a documented Information Security Management System (ISMS).

  • The organisations assets to be protected

  • Organisations approach to risk management

  • Control objectives and controls

  • Degree of assurance required by the organisation

  • Compliancy with BS7799 requires an organisation to follow six steps:

    Step1: Define the organisations information security policy

    Step 2: Define the scope of the ISMS, going through the controls outlined in BS B7799-1:2000 an organisation will need to decide which controls are suitable for assessment within their organisation. The outcome of the selected controls will be dependent on: the business requirement, the assets to be protected, location and the technology.

    Step 3: Risk assessment: The aim of the assessment is to identify the threats and vulnerabilities to assets and the impacts to the organisation. The results of this will determine the degree of risk.

    Step 4: Risk management, the areas of risk to be managed are identified by the information security policy and the degree of assurance required by the organisation.

    Step 5: Selection of the controls detailed in clause 4 of the BS7799-1: 2000 to be implemented and the objectives of these controls. Justification for the selections made must be provided.

    Step 6: Statement of applicability: An organisation will need to document the selected control objectives and controls, the reasons for selection and justification for the exclusion of any of the controls listed in clause 4.

    Figure 1: Six Major steps towards BS7799-2 Compliance

    Should one Certify?

    The decision to certify is subjective. It is important to realise that as with compliance, it is not mandatory to achieve certification. Once an organisation believes that, they have achieved the following:

    • Defined the scope of the ISMS

    • Documented and implemented the ISMS in accordance with the control objectives set out in clause 4 of the standards documentation

    • Provide justification if required of any exclusions
    Then they can apply for certification, which entails an audit of the implemented ISMS by a qualified and accredited BS7799 assessor.

    The task of certification is an arduous and continuous process that should be considered carefully. Once certification has been achieved, it has to be maintained, which entails periodic reviews, site visits by a BS7799 assessor and recertification every 3 years.

    As a result an organisation should analyse the benefits specific to their
    business that certification will bring.

    In addition to the benefits obtained through compliance, certification also offers the following additional benefits:

    • Credibility and confidence

    • Compliance: with relevant laws and regulations
    It is worth noting that certification is not full proof, i.e. the certification does not suddenly give your organisation a "hacker proof" seal. However, it does show that you have taken all the necessary precautions required to minimise the risks to your business.

    Not every organisation needs to go down the certification route, however, by using BS7799 as a guideline by which you manage the risks to your business, you will be fulfilling your fiduciary responsibilities as an organisation in the protection of your company's assets.

    What is required for certification?

    In order to reach certification, you must first achieve compliancy as set out in the "what do I need to do to comply" section. Once this has been achieved, the certification process requires an external review of by a BS7799 accredited assessor.

    The assessor will work for a certified body such as BSI assessment services Ltd; they will audit your organisations ISMS in line with the controls set out in Clause 4. On successful completion of the audit, your organisation will be awarded the BS7799-2 certificate.

    The certificate will detail the scope of your ISMS and your statement of applicability.

    Major Control areas required for certification There are 148 controls in total, the list below highlights the major control areas. Any exclusion of the following control objectives from your defined ISMS must be justified and evidenced during the risk assessment phase. These exclusions should be documented in your statement of applicability.

    A full list of the detailed controls can be purchased on-line on the BSI web siteat.

    Security Policy:
  • To provide management direction and support for information security

  • Organisational security Controls:
  • Information security infrastructure

  • Security of third party access

  • Outsourcing

  • Asset Classification and control
  • Accountability for assets

  • Information classification

  • Personnel security
  • Security in job definition and resorting

  • User training

  • Responding to security incidents and malfunctions

  • Physical and environmental security
  • Secure areas

  • Equipment security

  • General controls

  • Communications and operations management
  • Operational procedures and responsibilities

  • System planning and acceptance

  • Protection against malicious software

  • House keeping

  • Network management

  • Media handling and security

  • Exchanges of Information and software

  • Physical and environmental security

  • Access Control
  • Business requirement for access control

  • User access management

  • User responsibilities

  • Network access control

  • Operating system access control

  • Application access control

  • Monitoring system access and use

  • Mobile computing and teleworking

  • Systems development and maintenance
  • Security requirements of systems

  • Security in application systems

  • Cryptographic controls

  • Security of system files

  • Security in development and support processes

  • Business Continuity planning
  • Business continuity management

  • Compliancy
  • Compliancy with legal requirements

  • Review of security policy and technical compliance

  • System audit consideration

  • How much will it cost to comply?

    There is no set fee for compliance, the cost of compliancy is dependent on a set of factors within an organisation and the cost of the controls required in achieving compliancy: These factors are as follows:

  • Size of the organisation

  • Scope of the ISMS

  • Results of the assessment

  • Depth of assurance required

  • Number of controls implemented

  • Budget

  • How much will it cost to certify?

    The cost of certification takes into account the following:

  • The number of sites to be audited

  • The number of days required to audit each site

  • The daily rate of the assessor

  • The cost of the certificate itself

  • Exact costs can be obtained by contacting the British standards Institute at or any other accredited body.


    BS7799 is a management standard for the protection of an organisations information asset. Consequently, if your organisation has a requirement to ensure that information assets are protected then BS7799 is for you.

    At Trinity, we would advocate that it be used as a guideline in achieving your information security goals. This is a strategic decision and must realise some benefits for your business, therefore your decision should be to concentrate on the parts that are applicable to your organisation and implement them accordingly.

    It is of our opinion that there is not much point in going down the road of certification if you cannot justify and in some cases quantify the benefits to your business. This would need to form a preliminary assessment against the risks to the business. As discussed earlier certification is not a one -off task, it must be continuously assessed internally to ensure that compliancy filters through every aspect of the business and periodically reviewed by an external assessor.

    Whilst some organisations might have a desire to certify, the actual need to certify must be analysed by weighing up the benefits to your business versus the costs involved in achieving certification.

    Organisations should also consider the hidden costs, which are also continuous, such as the man power required to carry out this project (this could be anywhere from 6 months to 24 months) and the cost of the controls to be implemented.

    Our advice to an organisation that wants to maintain a high standard of information security is to head down the compliancy route. As your business grows and changes in response to market forces, you can adapt your ISMS to reflect these changes easily.

    We see BS7799 as becoming a de-facto standard for the protection of information security assets, as ISO9001 has become. In conclusion BS7799 as a guideline is for everyone, however certification is not.

    About the Author:
    Trinity Security Services (Trinity) is a leading independent information security solutions and services provider. Customers include a range of FTSE 250 customers across UK and Europe

    Trinity provides its customers with market leading expertise, delivering solutions ranging from the technical such as IDS, VPN and E-commerce, to strategic services including security policy and procedure development.

    BS7799 Compliancy and Certification