What is Compliancy?
Compliancy with BS7799 requires an organisation to have implemented and documented their Information Security Management System (ISMS) in accordance with the control objectives set out in the BS7799-1:2000 documentation.
What is Certification?
BS7799 certification provides evidence and assurance that an organisation has complied with the control objectives set out in the standards documentation. Certification outlines the scope of an organisations ISMS, and any exclusions to the control objectives.
This is verified by an independent assessor who will perform an audit inaccordance with the controls set out in BS7799-1:2000.
Why should one comply?
Compliancy is not mandatory, considering that there are 148 controls this is just as well.
Before embarking on the route to compliance an organisation needs to consider the following:
On completion of this analysis, most organisations will find that they do not require full BS7799 compliancy to run their business more securely; however there may be a desire to achieve compliancy in specific areas.
Evidence and justification must be given for excluding any of the control objectives set out in the standards documentation. The evidence should be derived from the risk assessment stage, where it can be proved that due to the nature of your business the risks identified within specific control areas are of no consequence to your business and as a result the implementation of these specific controls are redundant.
Whilst it might not be necessary for the majority of organisations to achieve compliancy or certification, there are several good reasons for both:
What is required to achieve compliancy?
The first step to compliancy requires an organisation to establish and maintain a documented Information Security Management System (ISMS).
Compliancy with BS7799 requires an organisation to follow six steps:
Step1: Define the organisations information security policy
Step 2: Define the scope of the ISMS, going through the controls outlined in BS B7799-1:2000 an organisation will need to decide which controls are suitable for assessment within their organisation. The outcome of the selected controls will be dependent on: the business requirement, the assets to be protected, location and the technology.
Step 3: Risk assessment: The aim of the assessment is to identify the threats and vulnerabilities to assets and the impacts to the organisation. The results of this will determine the degree of risk.
Step 4: Risk management, the areas of risk to be managed are identified by the information security policy and the degree of assurance required by the organisation.
Step 5: Selection of the controls detailed in clause 4 of the BS7799-1: 2000 to be implemented and the objectives of these controls. Justification for the selections made must be provided.
Step 6: Statement of applicability: An organisation will need to document the selected control objectives and controls, the reasons for selection and justification for the exclusion of any of the controls listed in clause 4.
Figure 1: Six Major steps towards BS7799-2 Compliance
Should one Certify?
The decision to certify is subjective. It is important to realise that as with compliance, it is not mandatory to achieve certification. Once an organisation believes that, they have achieved the following:
- Defined the scope of the ISMS
- Documented and implemented the ISMS in accordance with the control objectives set out in clause 4 of the standards documentation
- Provide justification if required of any exclusions
The task of certification is an arduous and continuous process that should be considered carefully. Once certification has been achieved, it has to be maintained, which entails periodic reviews, site visits by a BS7799 assessor and recertification every 3 years.
As a result an organisation should analyse the benefits specific to their
business that certification will bring.
In addition to the benefits obtained through compliance, certification also offers the following additional benefits:
- Credibility and confidence
- Compliance: with relevant laws and regulations
Not every organisation needs to go down the certification route, however, by using BS7799 as a guideline by which you manage the risks to your business, you will be fulfilling your fiduciary responsibilities as an organisation in the protection of your company's assets.
What is required for certification?
In order to reach certification, you must first achieve compliancy as set out in the "what do I need to do to comply" section. Once this has been achieved, the certification process requires an external review of by a BS7799 accredited assessor.
The assessor will work for a certified body such as BSI assessment services Ltd; they will audit your organisations ISMS in line with the controls set out in Clause 4. On successful completion of the audit, your organisation will be awarded the BS7799-2 certificate.
The certificate will detail the scope of your ISMS and your statement of applicability.
Major Control areas required for certification There are 148 controls in total, the list below highlights the major control areas. Any exclusion of the following control objectives from your defined ISMS must be justified and evidenced during the risk assessment phase. These exclusions should be documented in your statement of applicability.
A full list of the detailed controls can be purchased on-line on the BSI web siteat. http://www.BSI-global.com.
Organisational security Controls:
Asset Classification and control
Physical and environmental security
Communications and operations management
Systems development and maintenance
Business Continuity planning
How much will it cost to comply?
There is no set fee for compliance, the cost of compliancy is dependent on a set of factors within an organisation and the cost of the controls required in achieving compliancy: These factors are as follows:
How much will it cost to certify?
The cost of certification takes into account the following:
Exact costs can be obtained by contacting the British standards Institute at http://www.bsi-global.com/ or any other accredited body.
BS7799 is a management standard for the protection of an organisations information asset. Consequently, if your organisation has a requirement to ensure that information assets are protected then BS7799 is for you.
At Trinity, we would advocate that it be used as a guideline in achieving your information security goals. This is a strategic decision and must realise some benefits for your business, therefore your decision should be to concentrate on the parts that are applicable to your organisation and implement them accordingly.
It is of our opinion that there is not much point in going down the road of certification if you cannot justify and in some cases quantify the benefits to your business. This would need to form a preliminary assessment against the risks to the business. As discussed earlier certification is not a one -off task, it must be continuously assessed internally to ensure that compliancy filters through every aspect of the business and periodically reviewed by an external assessor.
Whilst some organisations might have a desire to certify, the actual need to certify must be analysed by weighing up the benefits to your business versus the costs involved in achieving certification.
Organisations should also consider the hidden costs, which are also continuous, such as the man power required to carry out this project (this could be anywhere from 6 months to 24 months) and the cost of the controls to be implemented.
Our advice to an organisation that wants to maintain a high standard of information security is to head down the compliancy route. As your business grows and changes in response to market forces, you can adapt your ISMS to reflect these changes easily.
We see BS7799 as becoming a de-facto standard for the protection of information security assets, as ISO9001 has become. In conclusion BS7799 as a guideline is for everyone, however certification is not.
About the Author:
Trinity Security Services (Trinity) is a leading independent information security solutions and services provider. Customers include a range of FTSE 250 customers across UK and Europe
Trinity provides its customers with market leading expertise, delivering solutions ranging from the technical such as IDS, VPN and E-commerce, to strategic services including security policy and procedure development.