ISO17799 / BS ISO / BS

Introduction Information security has always been a major challenge to most organizations. Computer infections by the “I-Love-You” virus, the 9-11 terrorist attacks and the crippling electrical blackouts in the northeastern United States in 2003 are just a few well-known examples of the need to come to terms with information­related risks. Unfortunately, organizations forget too quickly that information security is more than a simple matter of technology. In reality, it should be part of an ongoing risk management process, covering all of the information that needs to be protected

What is information security? Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business losses and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, whatever the means by which it is shared or stored, it should always be appropriately protected.

Information security consists of preserving the following elements: a) confidentiality : ensuring that information can only be accessed by those with the proper authorization; b) integrity : safeguarding the accuracy and completeness of information and the ways in which it is processed; c) availability : ensuring that authorized users have access to information and associated assets whenever required. Information security elements

Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established in order to ensure that the specific security objectives of the organization are met.

What is BS 7799 / ISO 17799? The goal of BS 7799 / ISO is to “provide a common base for developing organizational security standards and effective security management practice and to provide confidence in inter- organizational dealings.” The standard is published in two parts: –ISO/IEC Part 1: Code of practice for information security management –BS 7799 Part 2: Information security management -- specifications with guidance for use

ISO/IEC Part 1 The international standard ISO/IEC was developed by the British Standards Institution (BSI) as BS It was adopted through a special “fast track procedure” by the JTC 1 (Joint ISO/IEC Technical Committee), concurrently with its approval by the national member institutes of ISO and the IEC. ISO/IEC is presented in the form of guidelines and recommendations that were assembled following consultations with big business. The 36 security objectives and 127 security controls contained in ISO/IEC are divided among ten domains

BS 7799 Part 2 BS7799 provides conditions for information security management. Comprised of the ten domains and 127 controls of the ISO standard, this reference applies to the development, implementation and maintenance stages of an information security management system. Organizations applying for certification are evaluated according to this document. An organization that bases its ISMS on the provisions in BS 7799 can obtain certification from an accredited body

What is an ISMS? An Information Security Management System (ISMS) provides a systematic approach to managing sensitive information in order to protect it. It encompasses employees, processes and information systems. Information security involves more than simply installing a firewall or signing a contract with a security firm. In this field it is essential to integrate multiple initiatives within a corporate strategy so that each element provides an optimal level of protection. This is where information security management systems come into play - they ensure that all efforts are coordinated in order to acheive optimum security. A management system must therefore include an evaluation method, safeguards and a documentation and revision process. This is the underlying principle of the PDCA (Plan-Do-Check-Act) model which strongly resembles the ISO 9001 model for quality management.

Plan - Define the ISMSscope and the organization’s security policies -Identify and assess risks -Select control objectives and controls that will help manage these risks -Prepare the statement of applicability Do -Formulate and implement a risk mitigation plan -Implement the previously selected controls in order to meet the control objectives. Check -Perform monitoring procedures -Conduct periodic reviews to verify the effectivenessof the ISMS -Review the levels of acceptable and residual risk - Periodically conduct internal ISMSaudits Act -Implement identified ISMS improvements -Take appropriate corrective and preventive action -Maintain communications with all stakeholders -Validate improvements

Complementarity of BS7799 / ISO As of the new 2002 revision, BS is harmonized with the standards for other well­known management systems, such as ISO 9001:2000 and ISO 14001:1996. Indeed, numerous companies are aware of or have implemented a quality management system (QMS) using ISO 9001, or an environment management system (EMS) using ISO BS now follows the same structure and has much the same requirements for developing an Information Security Management System (ISMS).