Inception of BS 7799
The world economy has long since realized the power and value of information and the importance of protecting it. Security seems to be top-of-the-mind recall for most of the CTOs today. In the last three years the buzz words in security have changed from firewall to biometrics, from simple passwords to identity management, people have tried hard to manage the show on their own and are now looking at Managed Security Service Providers.
Yet...
- How does the average CTO/ decision maker decide what control to bet his last rupee on?
- What are the parameters based on which he/she can quantitatively measure improvement as a result of the actions taken?
- Whom can he/she trust to help him/her really plan and monitor the effectiveness of the controls in place?
- Is there an independent party that really knows what Security is and can recommend the best practices?
These were a few issues, which were faced by the top management last decade when the British Standards Institution (more commonly known as BSI) in consultation with a group of end-users and vendors created what we today know as "BS 7799 Standard for Information Security". This standard for Information Security Management System (ISMS), BS 7799, has fast become one of the world's yardsticks for measuring the robustness and resiliency of security infrastructure in place.
BSI is the independent national body responsible for preparing British Standards. It presents the UK view on standards in Europe and at the international level. A partial list of organizations is provided below who in consultation with the British Standards Institute (BSI) first brought out this standard in 1995.
- Association of British Insurers
- British Computer Society
- British Telecommunications plc
- The Business Continuity Institute
- Department of Trade & Industry
- Det Norske Veritas Quality Assurance
- HMG Protective Security Authority
- HSBC
- Institute of Chartered Accountants in England & Wales
- Institute of Internal Auditors
- KPMG plc
- L3 Network Security
- Lloyds TSB
- Logica UK
- Marks and Spencer plc
ISO/IEC 17799 Part 1, is a standard that contains over 100 security controls to help you identify elements of your business
that impact on information security. Part 2 is a specification to which your organization can be assessed and registered
It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organisations.
The year 1999 saw the launch of the revised Part 1. The new edition was revised to seek the following:
- The developments in the application of information processing technology, particularly in the area of networks and communications.
- It also emphasized on Business involvement in and responsibility for information security
Information Security Management System is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. BSI has published a code of practice for these systems, ISO/IEC 17799, which is now being adopted internationally. September 2000 saw the launch of the revised BS 7799 Part 2. This new edition was revised to seek the following:
- Harmony with other management system standards such as ISO 9001
- To incorporate the PDCA (Plan - Do - Check - Act) method. This would mean Plan the ISMS - Implement the ISMS - Monitor & Review the ISMS - Improve the ISMS.
This article - series aims at demystifying BS 7799 Standard. It aims at helping you understand security much better by using a yardstick called "BS 7799". The next article would address the structure of this standard and what it entails.
- Montu Das
|
