bs7799 2

Download as pdf or txt
Download as pdf or txt
You are on page 1of 23

BS 7799-2

Inception to Certification

Dale Johnstone
Chair – BS7799 User Group (Hong Kong)
Member - Australian Standards IT/12/4
Member – ISO/IEC JTC1 SC27
Principal Security Consultant
Risk Management & Compliance

5 December 2002
[email protected]

Agenda

y What is BS7799? y International User Group

y History of BS7799-1 y Roadmap to Certification

y History of ISO/IEC 17799 y Benefits

y History of BS7799-2

y Current Status

y Future

1
WHAT IS BS7799 ?

What is BS7799 ?

y Aim
– Build on a Common Basis for Organisational Security Standards
Development
– Enhance Security Management Practice
– Increase Confidence and Trust in Inter-Organisational Dealings
y Defines
– Desired Best Practice Methods for Controlling (Protecting) Information
(a) Confidentiality (b) Integrity & (c) Availability
y Consists of Two Parts
– Part 1 – Code of Practice for Information Security Management
y Represents Best Practice Guidance Based in Practical Industry Experience
– Part 2 – Specification for Information Security Management Systems
y Forms the Basis by Which Compliance Certification Can be Performed Against
a Management Systems Standard
3

2
HISTORY OF BS7799
PART 1

History of BS7799 (Part 1)

y Early 1990s
– Industry Need Determined for Best Practice Controls
– To Support Business & Government in the Implementation &
Enhancement of Information Security
– Department of Trade and Industry (UK) established a Working
Group Comprising Experienced Information Security Managers
– Information Security Management Code of Practice Produced

y 1992
– Published as an Industry Code of Practice (September)
y Provided a Structured Framework for an Organisation to Examine
& Improve the Security of their IT Systems Environment
– Originally published as a BSI-DISC publication
– Forms the Basis of British Standard 7799

3
History of BS7799 (Part 1)

y 1995
– BDD/2 Committee Revises Code suitable for publication
– BS7799 Published as a UK Standard

y 1996 - 1997
– Need to increase level of confidence in BS7799 identified
– Industry called for a means of certifying against the Code
– Steering Committee Formed
y UK Accreditation Service (UKAS)
y International Register of Certified Auditors (IRCA)
y Department of Trade & Industry (DTI)

History of BS7799 (Part 1)

y 1998 (April)
– UK ISMS Certification Scheme Launched

y 1999
– Revised and updated
– New Controls Added:
y E-commerce
y Mobile Computing
y Third Party Arrangements
– UK Specific References Removed
– Overall General Improvements Made
– Second Edition Published (BS 7799-1:1999)

4
History of BS7799 (Part 1)

y Many Countries Adopted BS7799 for Domestic Use:


Australia Germany Japan Norway Switzerland
Brazil Iceland Korea Poland Taiwan
Czech Republic India Malaysia Singapore UAE
Canada Ireland Netherlands South Africa UK
Denmark New Zealand Sweden

y BS 7799 Translated Into Many Different Languages:


– Danish – French – Norwegian
– Chinese – German – Polish
– Dutch – Icelandic – Portuguese
– English – Japanese – Swedish
– Finish – Korean

HISTORY OF
ISO/IEC 17799

5
History of ISO 17799

y April 2000
– Given Strong International Interest - BDD/2 Recommended BS7799-1 be
submitted to ISO for Development as an International Standard
– BSI Submitted BS7799-1 to ISO using a 'Fast Track' Procedure
y Allows International Standard to Be Published in 12 months

y October 2000
– International Standard ISO/IEC 17799 Was Approved

y December 2000
– International Standard ISO/IEC 17799:2000 Published
– Some Minor Editorial Amendments

10

History of ISO 17799

y April 2001
– ISO/IEC JTC1 SC27 'IT Security Techniques‘ Committee Assigned
Responsibility for Maintenance & Further Development
– Call for Revision Comments Issued

y October 2001
– Revision Commenced by ISO Committee
– 151 Pages of Comments Received

y October 2002
– Revision Continues by ISO Committee
– 666 Comments Spread Across 170 Pages Received

11

6
ISO 17799 Structure

y 10 Detailed Control Clauses


1. Security Policy 36 x CONTROL
2. Security Organization OBJECTIVES
3. Asset Classification &
Control
4. Personnel Security 6. Communications &
5. Physical & Operations Management
Environmental Security 7. Access Control Security
8. System Development &
Maintenance
127 x CONTROLS 9. Business Continuity
Planning
10. Compliance
12

ISO 17799 Topics

Scope Terms & Definitions Security Policy Information Security Policy Document Review & Evaluation

Security Organization Information Security Infrastructure Security of Third Party Access Outsourcing

Asset Classification & Control Accountability for Assets Information Classification Personnel Security

Security in Job Definition & Resourcing User Training Responding to Security Incidents & Malfunctions

Physical & Environmental Security Secure Areas Equipment Security System Planning & Acceptance

Communications & Operations Management System Audit Operational Procedures & Responsibilities

Protection Against Malicious Software Housekeeping Network Management Media Handling & Security

Exchanges of Information & Software Security of System Files Business Requirement for Access Control

User Access Management Application Access Control Security Requirements of Systems User Responsibilities

Network Access Control Operating System Access Control Security in Development & Support Processes

Security in Application Systems Monitoring System Access & Use Business Continuity Management

Mobile Computing & Teleworking Cryptographic Controls Compliance with Legal Requirements

13

7
HISTORY OF BS7799
PART 2

14

History of BS7799 (Part 2)

y 1998
– Process for Establishing an Information Security
Management System Identified
y Developed by BDD/2
y Published as BS 7799-2:1998
– BS 7799-2:1998 Specifies Controls to Be Implemented
y According to Security, Legal and Business Requirements
– Specification Can be Used to:
y Conduct Internal Audits to the Standard
y Enable Third Party Certification to the Standard

y 1999
– Published as BS 7799-2:1999
y Alignment of Controls With BS7799-1
y Joint Publishing of New Part 1 Æ Re-issue New Part 2

15

8
History of BS7799 (Part 2)

y Late 2001
– Revision of Standard Commenced

y Main Drivers of Revision


– Harmonise with other Management System Standards
y ISO 9001 & 14001
y Assist with Integration and Operation of Organisation’s Management Systems
y Facilitate Combined Third Party Audits
– Need for Continual Improvement Processes
– Corporate Governance
– Information Security Assurance
– Implementation of the new 2002 OECD Principles
y Security of Information Systems and Networks

16

History of BS7799 (Part 2)

y January – September 2002


– Draft for Public Comment Issued
– BSI Committee BDD2 & International User Group
– Finalised & Revised Version Completed

y Contributors
Australia Korea
Brazil Netherlands
Germany Norway
Hong Kong Singapore
Ireland Sweden
Japan UK

17

9
CURRENT STATUS
OF BS7799-2

18

Present - BS7799 (Part 2)

y 5th September 2002


– BS 7799-2:2002 Launched / Published in the UK
y Major Updates
– Plan, Do, Check, Act (PDCA) Process Model
– Process based approach based on PDCA Model
– Improved definition and clarification of the links between:
y Risk Assessment Process
y Selection of Controls
y Contents of the Statement of Applicability
– Importance of Continual Process Improvement to the ISMS
– Clarified Requirements for Documentation & Records
– Enhanced Risk Assessment & Management Process
– Controls from ISO 17799 Included as a Normative Annex
– Annex Providing Guidance on New Version’s Use
– Annex Showing correspondence with BS7799-2; ISO 9001; & ISO 14001
19

10
Present - BS7799 (Part 2)

y Provides
– Guidance on Creating an ISMS
– Critical Success Factors to Successfully Implement Information
Security
– Ability to Harmonise With Other Management Systems
– Plan-do-check-act Model for Creating and Maintaining an
Effective ISMS
– Ability to Continually
y Improve Process of Security Management
y Assess Security Procedures in the Light of Changing Business
Requirements, Technology Threats and New Circumstances
– Clarity of Relationship with:
y International Standards
y Newly Revised Guidelines From the Organisation for Economic Co-
operation and Development (OECD)

20

Present - BS7799 (Part 2)

Define the Scope of the Information


Security Management System, Identify
& Assess Business Risks
Implement Improvements in
PLAN the Information Security
Management System Process,
Implement Agreed Risk Implement Modifications to the
Treatment Activities & DO ACT Controls As Necessary to Meet
Appropriate Controls Changing Circumstances
IN
S T
RT
IE
IT
Y CHECK ER
ES
TE
PA UR
IN
FO D
D C RM MAN PA
TE SE TS S AT A RT
ES N N N G
IO ED IES
ER T IO ME IO Monitor Control Performance, N
IN
T A IR AT
E SE
CU
M
R QU C T
FO RE XPE Review Risk Levels (Changing RI
TY
IN E
& Circumstances), Perform
Internal Information Security
Management System Audits
Plan-Do-Check-Act
21

11
ISO 17799 & BS 7799-2
FUTURE

22

Future of ISO 17799

y October 2003
– ??? Comments
– International ISO Voting
y October 2004
– ??? Comments
– International ISO Voting
y 2005 Aimed Publication
Date
– Revised and Updated With a New
Look
– Contain New Additional Material
– New Controls Will be Included
– May even Include a new Major
Topic Section
y 10 Æ 11 Sections

23

12
Future of BS 7799-2

y October 2002
– Study Period Commenced Within ISO
– Review Need for an Information Security Management Systems Standard
– International Countries Expected to Contribute to Study Period
– Several Countries Have Already Indicated Very Strong Support
– BSI (UK) Yet To Decide their form of Contribution (e.g. BS7799-2)

y Expectation
– New Version to Be Issued Either by:
y BSI
or
y ISO
– Within Six Months of ISO 17799 Being Republished

24

BS 7799
INTERNATIONAL USER GROUP
(IUG)

25

13
International User Group

Countries Represented IUG Chapters


Australia Japan Singapore Australia
Brazil Korea South Africa Canada
Canada Malaysia Sweden Germany
Germany The Netherlands Switzerland Hong Kong
Hong Kong New Zealand Taiwan India
Iceland Norway UAE Singapore
India Poland UK Sweden
Ireland USA Taiwan
UK

26

ROADMAP FOR CERTIFICATION


(ONE EXAMPLE)

27

14
Requirements

y BS7799-2 Standard Specifies Requirements for Establishing,


Implementing and Documenting an ISMS
– Define Security Policy
– Define the ISMS Scope (Boundary)
– Identify Assets
– Undertake Asset Risk Assessment
– Identify Asset Weak Areas
– Make Decisions to Manage Risk
– Select Appropriate Controls
– Implement & Manage Selected Controls
– Prepare Statement of Applicability

Option of Formal Certification Now Available

28

Audit Objectives

y Audit Objectives
– Review Compliance to BS 7799-2
– Review Degree of Implementation to BS 7799-2
– Review the Effectiveness and Suitability in meeting:
y Security Policy
y Security Objectives
– Identify Security Holes & Weaknesses
– Provide an Opportunity to Improve ISMS
– Meet Contractual Requirements
– Meet Regulatory Requirements

TO ACHIEVE CERTIFICATION

29

15
Approach

y Preparation
– Understanding of the effort required
– Clear that it is a continuous effort
– A key operational champion is identified
– People Resources are available (minimum 6 months)
– Budgetary Resources are available
– Identified the end goals to be achieved (why proceed)

y Management Commitment
– Key management champion is identified
– Understanding of what will be achieved
– Support to make it happen
– Ability to prioritise the commitment (e.g. high)

30

Approach

y Day 0
– Determine details of ISMS
Certification Process

y Day 1
– Map out a project plan
– Determine key milestones
– Select key people resources
– Form project team (Security Forum)
– Commence documentation (e.g. minutes)
– Determine and allocate a budget
– Determine what professional assistance/advice is required

31

16
Approach

y Day 2-5
– Plan major activities
y Information Security Policy
y Asset Identification
y Risk Assessment
y Training and Awareness
y Scope of assessment
– (e.g. physical, people, shifts
etc…)

y Week 1
– Project Team Meeting
– Initial Scope of Assessment Determined
– Asset Identification Process Commenced
– Gap Analysis of ISMS Requirements within Scope Completed

32

Approach

y Week 2-4
– Project Team Meeting (held fortnightly)
– Plan/Update Project Plan/Milestones
– Develop security organisational structure (Security Forum)
– Develop/update information security policies
– Commence Risk Assessment (determine methodology)
– Identify weak and strong security areas/risks

y Month 2
– Finalise information security policies (ready for approval)
– Review scope of assessment
– Commence risk management process (safeguard selection)
– Commence development of Information Security Manual
– Continue to document your efforts

33

17
Approach

y Month 3
– Project Team Meeting (held Monthly) (Security Forum)
– Submit Information Security Policies - Senior Mgt Approval
– Commence/continue safeguard (control) implementation
– Continue to monitor Gap Analysis Study (from week 1)
7799 Non-
Part 2 Statement Comply Comply Exclusion Control Objectives, Controls & Reasons for Selection or
Clause Exclusion

4.1.1.1 Information
document
security policy √ Developed, approved and communicated information security
policy to all employees. This policy has been developed in
A policy document shall be approved accordance and supports the information security policies of its
by management, published and parent organisation.
communicated, as appropriate, to all The Policy is readily available to all employees via the
employees. company’s intranet.

4.1.1.2 Review and evaluation √ No formal process has yet been established to regularly review
the organisation’s security policies and procedures.
The policy shall be reviewed regularly,
in case of influencing changes, to The assignment of ownership and responsibility of Policy
ensure it remains appropriate. review has not yet been assigned to dedicated personnel.

4.2.1.1 M anagement information security √ Security is a topic that is constantly reviewed and promoted not
only by management to the organisation’s employees, but
forum
A management forum to ensure that additionally encouraged throughout the organisation’s customer
there is clear direction and visible environment.
management support for security Given the small size of the organisation a management forum
initiatives shall be in place. dedicated to information security is not deemed necessary.

34

Approach

y Month 4
– Continue safeguard (control) implementation (risk mgt)
– Ensure personnel awareness/training of information security
– Ensure management approval of Information Security Policy
– Continue development of Information Security Manual
y Document what you actually do – not what you should do !
y ISM forms a key element in the certification audit
– (As do) – Meeting Minutes
– Risk Assessment documentation
– Organisational structure
– Statement of Applicability
– Continue to review/revise supporting documentation
y Not necessarily security related
y But support of security safeguards/controls

35

18
Approach

y Month 5
– Commence development of ‘Statement of Applicability’
y Progressive update from Gap Analysis document
– Continue Information Security Manual
– Continue implementation of safeguards (control)
– Commence process of:
y Continuous review
y Continuous documentation
– Perform (2nd) Risk Assessment (if applicable)
– Visitor’s log etc…
– Engage internal auditors (if available)
y To assist in reviewing work to date
y To provide an element of increased confidence
y To determine any non-conformities earlier in process
– Engage External (Accredited) Certification Body
36

Certification Audit – Phase 1

y Month 6
– Commence Phase 1 – Desktop/Documentation Audit#
y Review ISMS Management Framework
– Security Organisation
– Security (Committee) Meeting Minutes
y Assess Scope of Assessment (ISMS)
y Statement of Applicability
y Risk Assessment and Management Approach
y Security Policy and Supporting key Procedures
– e.g. Information Security Manual
y Determine any minor/major non-conformities
– Action taken to correct non-conformities
– Documentation updated to reflect changes
– Finalise Information Security Manual
– Finalise implementation of safeguards (control)
# May or may not be conducted on site

37

19
Certification Audit – Phase 2

y Month 7
– Commence Phase 2 – Implementation Audit
y To confirm the:
– Organisation adheres to its own policies, objectives and procedures
– ISMS conforms with requirements of:
(a) ISMS Standard; and
(b) Is achieving the organisation’s policy objectives
– Test the effectiveness of the ISMS
y On-site inspection to review/test effectiveness of (ISMS) Policies,
Procedures, Objectives
– Interview Owners and Users of ISMS
– Review High, medium and/or low risk areas
– Security objectives and targets
– Links between the core documents within the system
– Security and management reviews
y Report findings and give final recommendation
38

Certification Audit – Phase 2

y It's worth knowing…


– Not Expect to Gain Certification Without Risk
Assessment
– Without Internal Reviews, Unlikely to Pass External
Audit

39

20
Certifications (171)

Australia (1) Greece (2) Korea (9)


Austria (1) Hong Kong (6) Norway (6)
Brazil (2) Hungary (2) Singapore (6)
China (3) Iceland (1) Spain (1)
Egypt (1) India (8) Sweden (4)
Finland (8) Ireland (3) Taiwan (3)
Germany (6) Italy (3) UAE (1)
Japan (17) UK (74)
USA (3)
40

BENEFITS

41

21
BS7799 Benefits

y Improves
– Management Understanding of the Value of Organisational Information
– Customer Confidence, Satisfaction and TRUST
– Business Partner Confidence, Satisfaction and TRUST
y e.g. Handling Sensitive Information of Customers & Business Partners
– Level of Assurance in Organisational Security & QUALITY
– Conformance to Legal and Regulatory Requirements
– Organisational Effectiveness of Communicating Security Requirements

– Organisational Effectiveness of Communicating Security Requirements


– Employee Motivation and Participation in Security (Best Practices)
– Organisational Profitability
– Management and Handling of Security Incidents
– Ability to Differentiate Organisation for Competitive Advantage
– Organisational Credibility & Reputation

42

Certification Benefits

y Certification Demonstrates:
– Commitment
– Continuous Improvement
– Preparedness for Independent Review
– Measure Against Best Practice
y Certification Provides
– Means to Benchmark
y Industry & Competitors
y Business Partners
y Customers
– Increased Level of Certainty

43

22
Thank You
Q & A

23

You might also like