BS7799
BS7799
BS7799
White Paper
René Saint-Germain,
President, Callio Technologies
Executive Summary
When it comes to implementing codes of practice for information security management, the best point
of reference is BS 7799 / ISO 17799, an internationally recognized standard in this field that is widely
used for drafting security policies.
The BS 7799 / ISO 17799 standard is written and published in two parts:
1) ISO/IEC 17799 Part 1: Code of practice for information security management is a guide containing
advice and recommendations to ensure the security of a company’s information according to ten fields
of application.
2) BS 7799 Part 2: Information security management -- specifications with guidance for use provides
recommendations for establishing an effective Information Security Management System (ISMS). At
audit time, this document serves as the assessment guide for certification.
Several software programs are currently available on the market to help companies implement the BS
7799 / ISO 17799 standard and develop security policies. It brings together a sound methodology,
questionnaires, an informational guide and all of the tools needed to develop an information security
management system and accelerate its implementation.
Company Profile
© Callio Technologies i
BS7799 / ISO 17799 Solution infoedge.com
Introduction
An array of laws now hold the officers of a corporation liable for protection of its
informational assets, under threat of penalty. It has become a must for administrators
to show due diligence in this regard, fostering greater concern for countering risks
with appropriate measures to reduce or eliminate them.
© Callio Technologies 2
BS7799 / ISO 17799 Solution infoedge.com
What is information security?
© Callio Technologies 3
BS7799 / ISO 17799 Solution infoedge.com
What is BS 7799 / ISO 17799?
The goal of BS 7799 / ISO 17799 is to “provide a common base for developing
organizational security standards and effective security management practice and to provide
confidence in inter-organizational dealings.”
© Callio Technologies 4
BS7799 / ISO 17799 Solution infoedge.com
The following diagram suggests a structure for the ten domains of the standard. Each domain
deals with a separate topic built around administrative, technical and physical measures and
driven from the top down, in other words such that its impact is felt from the management level
all the way to the operational level.
© Callio Technologies 5
BS7799 / ISO 17799 Solution infoedge.com
It is important to understand that an
organization that obtains certification is
considered ISO 17799 compliant and BS7799-
2 certified.
BS 7799-2 is already widely used in many
countries as a reference document for
information security management
certification. These countries include
England, Australia, Norway, Brazil and
Japan.
What is an ISMS?
“To establish the organization’s information
security policy and objectives... and then
meet these objectives.”
© Callio Technologies 6
BS7799 / ISO 17799 Solution infoedge.com
History of the BS7799 / ISO 17799 standard
For over a hundred years, the British Standards Institution (BSI) has carried out studies for the
purpose of establishing effective, high-quality industry standards. BS 7799 was developed at the
beginning of the 1990s in response to industry, government and business requests for the
creation of a common information security structure. In 1995, the BS7799 standard was officially
adopted.
Four years went by before the publication in May 1999 of a second major version of the BS 7799
standard, incorporating numerous improvements. It was during this period that the International
Organization for Standardization (ISO) began to take an interest in the work published by the
British institute.
In December 2000, ISO took over the first part of BS 7799, re-baptising it ISO 17799. In
September 2002, a revision of the second part of the BS7799 standard was carried out in order
to make it consistent with other management standards such as ISO 9001:2000 and ISO
14001:1996 as well as with the principles of the Organization for Economic Cooperation and
Development (OECD).
Currently, consultations are taking place at the international level to keep BS 7799 / ISO 17799
at the leading edge of the latest developments.
To avoid confusion, here is a brief definition of these three terms in the context of an Information
Security Management System (ISMS):
© Callio Technologies 7
BS7799 / ISO 17799 Solution infoedge.com
Who is ISO 17799 for?
BS 7799 / ISO 17799 meets the needs of organizations and companies of all types, both
private and public.
For any organization that stores confidential information on internal or external systems,
depends on such systems to run its operations, or indeed wishes to demonstrate its
information security by conforming to a known standard, BS 7799 / ISO 17799 would be of very
great interest. The following chart illustrates the many possible uses of the standard:
Medium enterprise Less than Create a compatible The standard contains the
(centralized or 5000 corporate security practices required to put
decentralized) employees culture together an information
security policy.
© Callio Technologies 8
BS7799 / ISO 17799 Solution infoedge.com
Benefits of the BS7799 / ISO 17799 standard
Obviously, complying with the ISO 17799 the organization to protecting information.
standard or obtaining BS 7799-2 certification Certification can help set a company apart
does not in itself prove that an organization from its competitors and in the marketplace.
is 100% secure. The truth is, barring a Already, international invitations to tender are
cessation of all activity, there is no such starting to require ISO 17799 compliance.
thing as complete security. Nevertheless,
adopting this international standard confers At the financial level
certain advantages that any manager should Reduced costs related to security breaches,
take into consideration, including: and possible reduction in insurance
premiums.
At the organizational level
Commitment: certification serves as a At the human level
guarantee of the effectiveness of the effort Improves employee awareness of security
put into rendering the organization secure at issues and their responsibilities within the
all levels, and demonstrates the due organization.
diligence of its administrators.
© Callio Technologies 9
BS7799 / ISO 17799 Solution infoedge.com
Complementarity of BS7799 / ISO 17799
The popularity of BS 7799-2 / ISO 17799 is due in part to its flexibility and its complementarity
with other information and IT security standards.
While ISO 17799 sets out the best A relationship also exists between ISO 17799
practices for managing information security and numbers 18044, 17944, 18028 and
and creating security policies, ISO 13335, 14516 of the International Organization for
also called GMITS - Guidelines for the Standardization, as summarized in the
Management of IT Security - is its big following figure:
brother. This standard deals more with the
technological aspects of information, and ISO 17799
brings value-added content to risk
assessment. The protective measures ISO 18044: Incident management
proposed in the fourth of ISO 13335’s five ISO 17944: Financial systems
guides (Part 4: Selection of safeguards) ISO 18028: Communications management
could be compared to the controls offered ISO 14516: E-commerce security
© Callio Technologies 10
BS7799 / ISO 17799 Solution infoedge.com
Complementarity with existing legislation
Many governments around the world are preparing or have adopted regulations prescribing how
companies should manage and control information security. The aim is simple: compel
management and boards of directors to be responsible for information security, and encourage
them to display the same “due diligence” they devote to protecting their assets.
Such regulations include the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act
(GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA):
The good news is that an organization that complies with any one of these regulations already
possesses a concrete and practical example of an information security management system.
For example, HIPAA tackles the same subjects as the ISO 17799 standard while placing the
emphasis on the protection of private information.
Similarly, the PDCA (Plan-Do-Check-Act) model in BS 7799-2 compares nicely with the four steps
in GLBA:
1. Identify and assess the risks to customers’ information;
2. Develop a plan containing policies and procedures to manage and control those risks;
3. Implement and test the plan;
4. Adjust the plan on a continuing basis.
Finally, compliance with ISO 17799 and BS7799-2 can include the definition of policies and
procedures for the security of a company’s sensitive information, as touched on in SOX.
© Callio Technologies 11
BS7799 / ISO 17799 Solution infoedge.com
Implementing an ISMS
The following table describes each of the eight steps involved in implementing an ISMS:
© Callio Technologies 12
BS7799 / ISO 17799 Solution infoedge.com
Documenting an ISMS
Documenting an ISMS is an important requirement during implementation and has two major
dimensions:
1) description of the organization’s strategy, objectives and risk assessment along with the
measures taken to mitigate risks;
2) control and followup once the ISMS is in operation.
Obstacles
Certain obstacles may be encountered when implementing an ISMS, namely:
To help overcome these obstacles, certain success factors should be taken into consideration.
© Callio Technologies 13
BS7799 / ISO 17799 Solution infoedge.com
Success Factors
Experience has shown that the following factors are often crucial to ensuring the successful
implementation of information security management within an organization:
a) a security policy and security objectives and activities that reflect the company’s goals
b) an implementation approach to security management that is consistent with company
culture
c) visible support and commitment from management
d) a good understanding of security requirements, risk assessment and risk management
e) effective communication of security issues to all managers and employees
f) the distribution of guidelines regarding the information security policy and standards to all
employees and suppliers
g) appropriate training and education
h) a comprehensive and balanced system of measurement that is used to evaluate the
effectiveness of information security management and provide feedback and suggestions for
improvement
A balanced process between physical, ISO 17799 isn’t a system that leads to a
technical and procedural security, and security certification (for the moment, only BS
personnel security 7799-2 and its national derivatives provide a
certification process).
© Callio Technologies 14
BS7799 / ISO 17799 Solution infoedge.com
Available software tools and resources
A range of information security products and services are currently available on the market. Many
are based on physical safeguards (locks, gates, fences, extinguishers, guards, etc.) and technical
controls (firewalls, biometrics, encryption, etc.). When it comes to adopting administrative
safeguards, however, often companies forget how important these are.
But information security isn’t complete without the development and publication of security policies
and procedures, or employee awareness and training programs, to name only those. Information
security is really an ongoing risk management process and therefore requires tools that meet
these needs.
Beyond any doubt, ISO 17799 offers what companies need in order to better manage information
security. The best way to implement this standard is to ease the process using multiuser software
that will collect the information required and that contains the principal tools that will be needed
along the way. Start with a simple and efficient risk assessment tool that generates
recommendations based on the ISO 17799 code of practice for each of the informational contexts
identified. Add to that a complete methodology, compliance questionnaires, a security policy
generator, an integrated document manager, examples, templates and information guides
regarding the implementation and audit of ISO 17799 controls, and managers will quickly
understand that such a tool can save the company much time and money.
Of course, another approach is to implement the standard with the aid of a consulting firm - one
that uses such software.
A methodology therefore uses methods, that is to say, means to effectively achieve the desired
result. The latter is usually formulated in a standard.
It is therefore obvious that the method will be the tool used to meet the requirements of a standard.
© Callio Technologies 15
BS7799 / ISO 17799 Solution infoedge.com
Conclusion
Now more than ever, it is essential to align information security with the corporate mission.
The confidentiality, integrity and availability of information are crucial factors in conserving a
competitive edge, cash flow, legal compliance and a good business image.
Seeking certification is also a demonstration that business executives and upper management
are showing due diligence in protecting corporate assets. Development of an information
security policy based on ISO 17799 is thus at the very core of information security
management.
BS 7799 / ISO 17799 is especially pertinent in this context. Simply by learning the
requirements of the standard, companies will improve their understanding of information
security management.
One of the best ways to implement a complete and effective information security management
system is to purchase a software tool and to use this tool in conjonction with professional or
internal services.
Over 80 000 firms around the world are BS 7799 / ISO 17799 compliant, including:
- Fujitsu Limited
- KPMG
- Marconi Secure Systems
- Sony Bank
- Toshiba IS Corporate
© Callio Technologies 17
BS7799 / ISO 17799 Solution infoedge.com