ISO 17799 / BS 7799 - INFORMATION SECURITY MANAGEMENT

Why ISO 17799/BS 7799?

The issue of information security impacts organizations of all sizes and from all sectors. They are all facing identical problem - the inherent vulnerability of their information systems.

No matter how secure and well protected an organization appears to be, sensitive information can be leaked without even realizing it until it's too late.

All information in all departments, whether on computer disk, paper or in the heads of your employees, is at risk from any number of very real threats.

Information security is no longer an issue for IT managers only - a single breach of information security could cost you your hard earned profits while doing irreparable damage to your image and reputation. Your capacity to trade profitably depends on your ability to manage risks effectively.

As the number of reported information security breaches consistently increases, the need for a structured approach to management of information security intensifies. An Information Security Management System (ISMS) based on ISO 17799 will provide a well-proven framework to initiate, implement, maintain and manage information security within any organization.

Once you start using ISO 17799 as a basis for you ISMS, your management system can be audited and registered by a third party, such as BSI, Inc. This process adds significant value to the ongoing effectiveness of the system.

What is ISO 17799/BS 7799?

ISO 17799/BS 7799 is an Information Management System standard that addresses all levels of information security.

In order to address all forms of information protection the standard guidelines are organized into 10 sections:

• Security policy

• Organization of assets and resources

• Asset classification and control

• Personnel security

• Physical and environmental security

• Communications and operations management

• Access control

• Systems development and maintenance

• Business continuity management

• Compliance

Each section contains the actual clauses and controls that comprise the standard.

What are the benefits of ISO 17799/BS 7799?

Properly implemented ISO 17799 ISMS will position your organization to be/have:

• An early mover into new business areas

• Fewer sudden shocks and unwelcome surprises

• Achievement of competitive advantage

• Greater likelihood of achieving business objectives

• Higher share prices over the longer term

• A reduction in management time spent 'fire fighting'

• Increased likelihood of change initiatives being achieved

• Lower cost of capital

• More focus internally on doing the right things properly

• Better basis for strategy setting

ISO 17799 and IT operation

Popular view of the ISO 17799 is that it identifies security issues within IT department and it is generally moved towards IT managers. Contrary to the popular belief, ISO 17799 is not an exclusively IT security standard, although it includes many IT related security issues as in today's world information is mainly stored on computers. The scope of information security protection is much wider than IT operation and interoperates with many security issues that are not generally of direct concern for IT operation, like physical and/or personal security, business continuity management or legislative compliance. IT operation therefore would rather be a cooperative subject to ISMS than the responsibility of IT operation.

How to ISO 17799/BS 7799?

The path to the ISO 17799/BS 7799 compliance is well defined and includes exact steps in achieving an ultimate objective of compliance registration. Prior to registration, an ISMS (Information Security Management System) has to be built according to the standard methodology. Building an ISMS is the first and largest step that gives most of the value of ISO 17799 implementation back into your hands. Later, the registration process approves your ISMS as compliant, shifting major objective to the improvement of your Information Security Management System. The real value of the standard, therefore, apart from compliancy registration, is clear strategy in handling security issues within your corporation.