Title British Standard 7799 (ISO 17799)
Description and Details British Standard 7799
Part 1: Code of Practice for Information Security Management;
Part 2: Specification for Information Security Management Systems.
BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security. It was upgraded in 1999, and in 2000 became ISO17799. BS7799-2 was issued in 2002, this time focusing upon information security management systems. This became ISO 27001 in October 2005. The latest version of BS 7799 is ""BS 7799-3:2005 Information security management systems. Guidelines for information security risk management,"" intended to provide guidance to support the requirements given in ISO 27001 regarding all aspects of an ISMS risk management cycle.

What is information security?
BS 7799 treats information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities.

Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, BS 7799 indicates that it should always be appropriately protected.

Information security is characterized within BS 7799 as the preservation of:
confidentiality: ensuring that information is accessible only to those authorized to have access;
integrity: safeguarding the accuracy and completeness of information and processing methods;
availability: ensuring that authorized users have access to information and associated assets when required.

Information security is achieved by implementing a suitable set of controls from BS 7799, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met.

How to establish security requirements
BS 7799 states that it is essential that an organization identifies its security requirements. There are three main sources:
The first source is derived from assessing risks to the organization. BS 7799 does not prescribe a methodology.
The second source is the legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy.
The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations.

Assessing security risks
BS 7799 suggests that security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems and it is important to carry out periodic reviews of security risks and implemented controls.

Selecting controls
Once security requirements have been identified, controls from BS 7799 should be selected and implemented to ensure risks are reduced to an acceptable level. Controls should be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs. Non-monetary factors such as loss of reputation should also be taken into account.
Web Link Web+Content/ChecklistsGuidesBritishStandard7799!OpenDocument

Back To Information Security Standards List

Database Sections