Qualityworld

• Knowledge portal
• FAQs
• Information
• Qualityworld
  • Current issue
  • Reader survey
  • Editorial comment
  • Free Qualityworld
  • Past articles
  • Advertisers
  • Subscribe to Qualityworld
  • Advertise in Qualityworld
• Journal of Quality
• Jobs
• Press
• Links

BS 7799: How it works

As pressure increases from consumers and industry to ensure effective information protection, some believe BS 7799 could be the way forward as it potentially gives businesses the structure to address their information security systems. Peter Restell of DISC - the IT arm of BSI - explains why the standard exists and its benefits

No one can have missed the proliferation of scare stories that abound in the media about security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denial of service (when a website is flooded with data) attacks have become more common, more ambitious and increasingly sophisticated. The damage to an organisations reputation in the marketplace can be immeasurable in terms of lost customer confidence and trust.

Alongside this are growing numbers of articles and evidence about the potential benefits of doing business electronically and utilising the possibilities of information technology to do business better, faster and in new ways.

In order to balance the desire to capitalise on these opportunities, whilst limiting the potential for disaster, more and more organisations are looking for guidance, assurance and support on best practice. A sensible approach needs to be found to protect information, whilst at the same time allowing appropriate access to enable organisations to go about their business with confidence.

Against this backdrop, there is also the implementation of the 1998 Data Protection Act, which brings with it increased obligations on organisations to implement appropriate data security measures. The objective is to prevent unauthorised or unlawful processing and accidental loss or damage to data pertaining to living individuals. The new legislation has been extended to include non-computerised or manual records. Material held in filing cabinets, index cards, microfilm collections and videotape collections are now subject to the act.

A helping hand?

BS 7799 - the standard on information security management - provides a well-proven framework to implement information security within an organisation. It offers a business-led approach to best practice for information security management in your organisation. Information security is characterized within BS 7799 as the preservation of:

• confidentiality
• integrity
• availability

Originally published in 1995, BS 7799 was updated and substantially revised in April 1999 to take account of developments in the application of information processing technology particularly in the area of networks and communications. It also gave greater emphasis to business involvement in, and responsibility for, information security. New controls were included in areas such as e-commerce, teleworking, mobile computing and so on but remained technology independent. Because the standard has developed an increasingly international reputation and is used by many countries, in 2000 the committee responsible for it decided that ES 7799 (part 1) should be submitted for approval as an international standard. This process was successfully completed in December 2000 and is now available as BS ISO/IEC 17799.

It takes all sorts...

It is important to realise that the standard addresses security of information, not just IT security. Information can exist in many forms - it can be printed or written on paper, stored electronically transmitted by post or using electronic means, shown on films, spoken in conversation or on the telephone. Whatever form the information takes, or by which means it is stored, shared or used, it should always be appropriately protected.

Drawing on the concept of risk assessment, the standard enables all types and sizes of organisations to create an information security management system that is most appropriate for their needs. It is not prescriptive as controls shown to be irrelevant for a particular organisation can be omitted, and additional controls not in the standard can be included later to address unusual circumstances.

Confidence and trust

The continuing push to utilise IT to conduct business electronically and globally requires a high degree of trust between customer and supplier and between trading partners. It demands confidence in the effective management of the technology and processes that look after data and information. Increased fear of losing, corrupting or exposing information has driven organisations to look for effective means to allay customer concerns and deliver business benefits.

Over the past couple of years, there has been growing interest in the concept of third party certification against BS 7799 as a means to address these concerns. This led to the development of part 2 of BS 7799. This stipulates a process of establishing and developing an information security management system (ISMS), written as a specification, which can therefore be used effectively to conduct audits, both internal and third-party.

Currently there are 84 organisations certified to BS 7799 (46 of these are in the UK). Typically they are from all sectors of industry including consultants, banking, finance, telecommunications, pharmaceuticals, database management and local authorities. International interest in BS 7799 certification is also growing, particularly in the Ear East, and now accounts for 38 certificates. (Up to date details of these registrations may be found at www.xisec.com/).

Why do it?

Potentially certification against BS 7799 will bring three main benefits. First, internal benefits - ensuring that an appropriate management system is in place to look after the security of an organisation's own information. Second, improved confidence from trading partners - being able to demonstrate that the organisation has undergone a competent, impartial, independent assessment against BS 7799 will prove that it is serious about information security, that information is safe whilst in its care.

Finally, the organisation is able to demonstrate compliance with the 1998 Data Protection Act's security requirements. In the UK, the data protection commissioner has stated that if an organisation can demonstrate compliance to BS 7799, her office will be satisfied that appropriate measures are in place to meet the security requirements of the 1998 Data Protection Act.

Recent developments

Further development of part 2 of the standard commenced late in 2001 and a 'draft for public comment' was released on 2 January 2002. This revision was developed primarily to harmonise and align it with other management system standards such as ISO 9001 and ISO 14001. It also applies the notion of a continual ISMS improvement cycle by introducing and applying Deming's 'plan-do-check-act' process model.

This can be used as part of a management system approach to developing, implementing and improving the effectiveness of an organisation's ISMS. No new auditing requirements regarding the implementation, maintenance and improvement of an organisation's ISMS are imposed by the introduction and interpretation of this revision. The revision is designed to be consistent and backward compatible with the 1999 version of ES 7799 part 2.

Worldwide approach

Information is an asset which, like other important assets, gives value to an organisation and consequently needs to be recognised and suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity minimise business damage and maximise return on investments and business opportunities.

There is no doubt that security of information will be one of the critical issues and key business enablers for all organisations in the next few years. BS 7799 is increasingly being implemented successfully by organisations in many countries around the world and this should encourage a common worldwide approach to information security management.

Information is available from the BS 7799 dedicated website at www.c-cure.org or by telephoning the c:cure office at BSI-DISC on 020 8995 7799.

BSI-DISC publishes a range of guidance material, including a series of guides on BS 7799 and it holds regular seminars and workshops on BS 7799 implementation.

Additional services from BSI

The recently developed RA Software Tool enables gap analysis, risk assessment and risk management to be conducted against BS 7799 and assists with the selection of controls to reduce the risks. DISC PD 0012 provides practical advice to organisations on reviewing existing data and planning future processing of information under the new legislation. The data protection update service - a subscription-based information service - ensures subscribers are kept up to date on data protection topics.

Peter Restell is a business programme manager in DISC, the part of BSI responsible for IT, telecommunications and document management activities. He manages the BSI committee BDD/2 that is responsible for BS 7799. He is also responsible for the associated BS 7799 Guides and RA software tool.

© Qualityworld February 2002