BS7799 /ISO17799/ISO27001 Explained

Q. What is BS7799?
A. The British standard fr infr!atin se"#rit$ !ana%e!ent.
It is p#&lished in 2 parts. BS7799 'art1 ( BS7799 'art2
Q. What d these "ntain?
A. BS7799 'art1 "ntains the Infr!atin Se"#rit$ )ana%e!ent Code of Practice.
BS7799 'art2 "ntains the Requirements fr Infr!atin Se"#rit$ )ana%e!ent.
Q. S* +hat then is ISO17799 ( ISO27001?
A. The Internatinal Standards Or%anisatin ,ISO- adpted the British "de f pra"ti"e
in its entiret$ and %a.e it an ISO n#!&er. S BS7799 'art1 and ISO17799 &th refer
t exa"tl$ the sa!e thin%. In fa"t n+ada$s +e n ln%er #se the BS n#!&er fr part
1 and refer t it &$ its ISO n#!&er instead. Si!ilarl$* there is als an ISO .ersin f
BS7799 part 2. This is ISO27001. It/s i!prtant t nte that the ne+ internatinal
standard is d#al n#!&ered as ISO/IE0 2700112002* BS 77993212002 and +ill &e
ar#nd fr s!e ti!e ,expe"ted t &e a&#t 2 $ears-* +hi"h !eans that there +ill &e
n differen"e &et+een "ertifi"atin t BS 77993212002 and the ne+ ISO/IE0
2700112002.* all r%ani5atins "#rrentl$ "ertified t the "#rrent BS 77993
212002 !#st ta6e int a""#nt the "han%es t the 2002 .ersin and &rin% their
infr!atin se"#rit$ !ana%e!ent s$ste! #p t date
T S#!!arise1
The Infr!atin Se"#rit$ )ana%e!ent Standard is n+ p#&lished in t+ parts1
,1- ISO/IE0 1779912002 0de f pra"ti"e fr Infr!atin Se"#rit$ )ana%e!ent
,2- ISO/IE0 2700112002 7e8#ire!ents fr Infr!atin Se"#rit$ )ana%e!ent S$ste!s
Q. Why does anyone need this standard?
A. 'ri!aril$* it is in a""rdan"e +ith &est pra"ti"e. Als* "!plian"e +ill &e a "rprate
le%al re8#ire!ent in the near f#t#re. In 2002 the %.ern!ent had !entined the $ear
2009. The British government since 2000 has been actively pushing the
adoption of the standard by all government institutions organisations
enterprises and commercial businesses! In fa"t* all &#sinesses* espe"iall$ thse
in.l.ed in an$ 6ind f e0!!er"e ,#sin% ele"trni" "!!#ni"atins the internet* e3
!ail* et".- are re8#ired t &e "!pliant &$ 2009. This als applies t all &#siness
partners re%ardless f their %e%raphi"al l"atin in the +rld.
Q. What +ill all "!panies ha.e t d t &e"!e "!pliant +ith BS7799/ISO27001?
A. All "!panies +ill ha.e t i!ple!ent an Infr!atin Se"#rit$ )ana%e!ent S$ste! in
a""rdan"e +ith ISO17799/ISO27001.
Q. 4+ ln% +ill this ta6e?
A. :ependin% #pn the si5e f the "!pan$ and the !ana%e!ent "!!it!ent t its
i!ple!entatin* an$+here &et+een ; !nths and 2 $ears.
"B# The standard deals $ith the security of all corporate information! %f $hich only
about &0' specifically relates to (T the other half relates to the security aspects
associated $ith people policies and procedures
S the a&.e explains +hat BS7799 is and +h$ "!panies need it.
BS7799 /ISO17799/ISO27001 Explained
)ample Contents of the ()%*++,,#2000 )tandard - 200& revision
()%*++,, is !ade n+ #p f 11,pre.i#sl$ 10- control sections +hi"h ".er1
* . )ecurity Policy
A document to demonstrate senior managements support and commitment to the
Information Security Management System (ISMS)
2 . )ecurity %rganisation/ %rganising (nformation )ecurity 0ne$ name for 200& rev1
Establish a management framework to initiate and control the implementation of information
security within your organisation and to manage ongoing information security provision.
2 . 3sset Classification and Control/3sset 4anagement 0ne$ name for 200& rev1
A comprehensive inventory of assets with responsibility assigned to ensure that effective
security protection is maintained.
5 . Personnel )ecurity/6uman Resources )ecurity 0ne$ name for 200& rev1
ell defined !ob descriptions for all staff outlining security roles and responsibilities. "o
reduce the risks of human error# theft# fraud or misuse of facilities
& . Physical and 7nvironmental )ecurity
$efine the security re%uirements of all corporate premises and those of the personnel
occupying them# to prevent unauthorised access# damage# and interference to business
premises and information.
8 . Communications and %perations 4anagement
&ptimise your communication ' networking systems to facilitate smooth operation of the
Information Security Management System to ensure the correct and secure operation of
information processing facilities
+ . 3ccess Control
"o ensure that only those with the appropriate authority have access to corporate
information where ever it resides and the protection of the supporting infrastructure.
BS7799 /ISO17799/ISO27001 Explained
9 . )ystems :evelopment and 4aintenance/(nformation )ystems 3cquisitions
:evelopment and 4aintenance 0ne$ name for 200& rev1
"o ensure that security is an integral part of information systems. So that I" pro!ects and
support activities are conducted in a secure manner through data control and encryption
where necessary.
, . (ncident 4anagement 0ne$ section for 200& rev1 previously in Personnel )ecurity
Ensuring that information security events and weaknesses associated with information
systems are communicated in a manner allowing timely corrective action to be taken.
*0 . Business Continuity 4anagement
A managed process for developing and maintaining business contingency plans which
protect critical business processes from ma!or disasters or failures.
** . ;egal Compliance
Avoid breaches of any criminal and civil law# statutory# regulatory# or contractual obligations#
and any security re%uirement.
The a&.e 11 control sections "ntain >7 control ob<ectives in t#rn spe"ifies 1>? ma<or
controls t &e applied. =6in% at @#st ne f these se"tins*
3ccess Control.
This has 9 "ntrl &@e"ti.es1
1- B#siness 7e8#ire!ent fr A""ess 0ntrl
2- Aser A""ess )ana%e!ent
>- Aser 7espnsi&ilities
?- Bet+r6 A""ess 0ntrl
2- Operatin% S$ste! A""ess 0ntrl
;- Appli"atin A""ess 0ntrl
7- )nitrin% S$ste! A""ess and Ase
9- )&ile 0!p#tin% and Tele3Wr6in%
Ea"h control ob<ective is a"hie.ed thr#%h a "!&inatin f !ana%erial* pr"ed#ral*
and te"hni"al "ntrls. Therefre the "ntrl &@e"ti.e n#!&er ?
"et$or= 3ccess Control +#ld in"l#de1
1- 'li"$ n the #se f net+r6 ser.i"es
2- Enfr"ed path
>- Aser a#thenti"atin fr external "nne"tins
?- Bde a#thenti"atin
2- 7e!te dia%nsti" prt prte"tin
;- Se%re%atin in net+r6s
7- Bet+r6 "nne"tin "ntrl
9- Bet+r6 r#tin% "ntrl
9- Se"#rit$ f net+r6 ser.i"es
BS7799 /ISO17799/ISO27001 Explained
ISO17799/ISO27001 is a !ana%e!ent standard fr the prte"tin f an r%anisatins
infr!atin assets. 0nse8#entl$* if $#r r%anisatin has a re8#ire!ent ,s#"h as din%
&#siness +ith AC %.ern!ent a%en"ies/&#sinesses r an$ ISO27001 "!pan$ in the s#ppl$
"hain after 2009- r le%al &li%atin ,"!plian"e +ith :ata 'rte"tin A"ts et".- t ens#re
that infr!atin assets are prte"ted then ()%*++,,/()%2+00* is for you.
It sh#ld &e #sed as a %#ideline in a" $#r infr!atin se"#rit$ %als. This is a
strate%i" de"isin and !#st realise s!e &enefits fr $#r &#siness. S#"h as the la"6 f
"ertifi"atin &ein% the "a#se fr the pssi&le lss f &#siness* r nt &ein% a&le t attra"t an$
ne+ &#siness. D# sh#ld als ta6e int a""#nt all the ad.anta%es f a" "ertifi"atin.
Therefre $#r de"isin sh#ld &e t "n"entrate n the parts that are appli"a&le t $#r
r%anisatin and i!ple!ent the! a""rdin%l$.
There is nt !#"h pint in %in% d+n the rad f "ertifi"atin if $# "annt @#stif$ and in
s!e "ases 8#antif$ the &enefits t $#r &#siness. 0ertifi"atin is nt a ne3ff tas6. The
"ertifi"ate lasts fr > $ears and !#st &e peridi"all$ &$ an external assessr.
Whilst s!e r%anisatins !i%ht ha.e a desire t "ertif$* the a"t#al need t "ertif$ !#st &e
anal$sed &$ +ei%hin% #p the &enefits t $#r &#siness a%ainst the "sts in.l.ed in
a" "ertifi"atin.
Or%anisatins sh#ld als "nsider the hidden "sts* +hi"h are "ntin##s* s#"h as the !an
p+er re8#ired t "arr$ #t this pr@e"t ,this "#ld &e an$+here fr! ; !nths t 2? !nths-
and the "st f the "ntrls t &e i!ple!ented.

O#r ad.i"e t an r%anisatin that +ants t !aintain a hi%h standard f infr!atin se"#rit$
is t head d+n the "!plian"$ r#te. As $#r &#siness %r+s and "han%es in respnse t
!ar6et fr"es* $# "an adapt $#r IS)S t refle"t these "han%es easil$.
ISO17799/ISO27001 has &e"!e the de3fa"t standard fr the prte"tin f "rprate
infr!atin assets* as ISO9001 has &e"!e.
In "n"l#sin ISO17799/ISO27001 as a %#ideline is fr$ne* "ertifi"atin is
ISO17799/BS7799/ISO27001 'rd#"ts
Q. S* +hat are +e sellin%? What are #r prd#"ts?
A. ISO17799/BS7799/ISO27001 Ed#"atin and 0ns#ltin%.
1- Assist +ith the I!ple!entatin f a ISO17799 "rprate Infr!atin Se"#rit$
a+areness pr%ra!!e,ISO27001 7e8#ire!ent-.
2- half da$ EIntrd#"tin t ISO17799 IS)SF se!inars fr #p t 20
persns and
>- 0nd#"t f#ll da$ IS)S "#rses fr a !axi!#! f 1; persns per t#tr ,2(>
da$s als a.aila&le-
0#rses deli.ered &$ se"#rit$ prfessinals nt a"ade!i"s.
?- A#dit assistan"e
ISO17799 sta%e 1 ( 2 a#dits 'erfr!ed &$ a BS7799/ISO17799 =ead A#ditr
ISO17799 Gap anal$sis
2- ISO17799 pr@e"t i!ple!entatin plannin% and !ana%e!ent a""rdin% t BSI
!ethdl%ies. 'r.ide assistan"e +ith fr!#latin% and i!ple!entin% all
re8#ired ISO27001 pli"ies* pr"ed#res* and "ntrls.
Q. Wh are #r tar%et a#dien"es?
A. The !ana%e!ent and e!pl$ees f all !edi#! and lar%e "!panies* the
)e!&ers f Instit#tes ,s#"h as the Instit#te f 0hartered A""#ntants* the
Instit#te f Ban6ers* et".-* and the attendees at 0rprate IT e.ents.
Q. Wh +ithin the r%anisatin sh#ld &e tal6in% t #s?
A. The 0EO/0HO* The :ata 'rte"tin ffi"er* the "rprate se"#rit$ ffi"er* the
!ana%e!ent f the internal a#dit depart!ent* the IT se"#rit$ depart!ent* IT
!ana%e!ent. Hinan"e depart!ent !ana%e!ent* et"..
Q. What 8#alifies #s t ffer these ser.i"es?
A. The fa"t that +e ,#r "!pan$- ha.e &een de.isin% and i!ple!entin%
infr!atin se"#rit$ sl#tins fr lar%e "rprate "lients sin"e the ad.ent f
the AC :ata 'rte"tin A"t f 199?.
O#r tea! f "ns#ltants +ill al+a$s &e led &$ an infr!atin se"#rit$
prfessinal +h is a 8#alified BS7799/ISO17799 =ead A#ditr and
BS7799/ISO17799 I!ple!enter. Als* the fa"t that +e re"ei.ed the BSI seal
f +hen BSI a+arded #s Ass"iate 0ns#ltan"$ stat#s fr BS7799 in
200>. This !eans that +e are tr#sted t pr.ide ad.i"e and %#idan"e and
i!ple!ent ISO17799/ISO27001 pli"ies* pr"ed#res* and "ntrls in
a""rdan"e +ith BSI !ethdl%ies.

0all #s in fr a "hat. 0nta"t #s &$ e!ail at &s7799Ial."!
