Information Security Management Systems

Information Security Management Systems help organizations to make sure their data is safe and secure, however the data is stored. Use the links below to find out more.

• History of BS 7799 (now BS ISO/IEC 17799 and BS ISO/IEC 27001)(see Notes 1 and 2)
• What is BS ISO/IEC17799 and BS ISO/IEC 27001? (formally BS 7799)
• Certification against BS ISO/IEC 27001
• What are the benefits of BS ISO/IEC 27001?
• How much does registration (certification) cost?
• Further information

History of BS 7799

In the early 1990s, there was growing concern about the security of information because of the increasing number of computer networks and the reliance of businesses on electronic data collection and processing. Fraud, espionage, sabotage, vandalism, fire, flood, computer hacking and computer viruses are all security threats to electronic data.

BSI worked with businesses and other groups to develop a standard that would increase awareness of security issues and suggest controls to help protect information in all types of organizations in the UK.

BS 7799 was first published in 1995 to give guidance on implementing Information Security Management, and was revised in April 1999 to take account of technology developments, particularly in the area of networks and communications. It also gave greater emphasis to business involvement in, and responsibility for, information security. New controls were included in areas such as e-commerce, tele-working, mobile computing and so on. However, the Standard doesn't apply to specific technologies.

The 1998 Data Protection Act requires that organizations use appropriate data security measures, to prevent unauthorised or unlawful processing and accidental loss or damage to data that relates to living individuals. The legislation includes non-computerised (manual) records, and material held in filing cabinets, index cards, microfilm collections and videotape collections are now also subject to the Act. Consequently, the standard also covered security of all types of information, held both electrically and non-electronically.

BS 7799-2 was developed in 1999 to support companies in gaining certification to BS 7799. In 2005 it was updated and replaced by an international standard and is now known ISO/IEC 27001.

Note 1: the IEC (International Electrotechnical Commission) is the organisation that develops international standards in the electrical/electronic sector

Note 2: The standard is now international and is known worldwide as ISO/IEC 27001. In the UK it is usually referred to as BS ISO/IEC 27001.

Top

What is BS ISO/IEC 27001?

BS ISO/IEC 27001provides a framework for implementing information security within an organisation. The Standard characterizes information security as the preservation of:

• Confidentiality - ensures that information is accessible only to those authorized to have access;
• Integrity - safeguards the accuracy and completeness of information and processing methods;
• Availability - ensures that authorized users have access to information and associated asset when required.

Importantly the Standard addresses security of information, not just IT security. Information can exist in many forms - printed or written on paper, stored electronically, transmitted by post or electronically, shown on films, or spoken in conversation or on the telephone. Whatever form the information is in, and however it is stored, shared or used, it should always be appropriately protected.

The Standard enables all types and sizes of organisations to create an Information Security Management system that is appropriate for their needs. It is not prescriptive: controls that are irrelevant for a particular organisation can be left out, and additional controls that are not in the Standard can be included to address unusual circumstances. BS ISO/IEC 27001 will be one of a number of security standards published as part of the BS ISO/IEC 27000 series. The series is as follows:

• BS ISO/IEC 27000 – Fundamentals and vocabulary (to be published 2007/8)
• BS ISO/IEC 27001 – Information security management systems – Requirements (published 2005)
• BS ISO/IEC 27002 – Code of practice for Information security management (currently known as BS ISO/IEC 17799 but will be altered by ISO to 27002 in 2007)
• BS ISO/IEC 27003 – Implementation guidance (to be published 2007/8)
• BS ISO/IEC 27004 – Metrics and measurement (to be published 2007/8)
• BS ISO/IEC 27005 – Information security risk management (to be published 2007/8)

The standard is currently published in the UK as three parts:

BS ISO/IEC 17799 (formerly BS 7799-1) Information technology. Specification for information security management.

This part is a code of practice that can be used by an organisation as a starting point for developing practices specific to their needs. It can be used to establish an organization’s guidelines and general principles for initiating, implementing and improving information security standards and effective security management practices, perhaps identified in a risk assessment

BS ISO/IEC 27001 (formerly BS 7799-2) Information technology. Security techniques. Code of practice for information security management

This part states requirements for implementing and operating an Information Security Management System. It provides a foundation for third-party audit and is written in a style that conforms with other management system standards, such as ISO 9001(Quality) and ISO 14001(Environment).
It also introduces the Plan-Do-Check-Act (PDCA) process model as part of a management system approach to developing, implementing, and improving the effectiveness of an organisation's ISMS within the context of its overall business risks.

BS 7799-3 Information security management systems. Guidelines for information security risk assessment

BS 7799-3, published in March 2006, is a British Standard and gives guidance to support the requirements given in BS ISO/IEC 27001 regarding all aspects of an information security management system (ISMS) risk management cycle. This includes assessing and evaluating the risks, implementing controls to treat the risks, monitoring and reviewing the risks, and maintaining and improving the system of risk controls.

Top

Certification against BS ISO/IEC 27001

The ever-increasing use of information technology to conduct business electronically and globally requires a high degree of trust between customer and supplier, and between trading partners. It demands confidence in effective management of the technology and processes that look after data and information. Fear of losing, corrupting or exposing information has driven organisations to look for effective means to allay customer concerns and deliver business benefits.

As a result, there was growing interest in the idea of third-party certification against BS 7799. This led to the development of Part 2 of BS 7799. Part 2 (now BS ISO/IEC 27001) specified a process of establishing and developing an Information Security Management System (ISMS), written as a specification, that can be used to conduct audits both by internal and third-party assessors.

Top

What are the benefits of BS ISO/IEC 27001?

 Customers and trading partners benefit because:

• knowing that the organisation has undergone a competent, impartial, independent assessment, so information is safe whilst in its care
• taking the opportunity to review and improve an information security system provides a robust and efficient system
• using security builds confidence with customers and suppliers
• secure online ordering can boost business, enabling 24/7 operation
• they are managing their risks more effectively
• they are protecting the company/brand image.

People in the organization benefit by:

• having an appropriate management system in place to look after the security of the organization's own information
• knowing that they are complying with the 1998 Data Protection Act's security requirements.

Society benefits because:

• there is a growing awareness of information security issues especially relating to protection of personal data
• the availability of secure electronic data transmission techniques enable society to use the internet as a means of conducting their personal, business and pleasure activities.

Top

How much does registration (certification) cost?

The cost depends on a number of factors such as the size of company, number of sites, type of company and complexity of processes, so costs have to be estimated on a case-by-case basis.

Top

Further information

The following websites have further in-depth information on the BS ISO/IEC 27001 standards:

• Further information and FAQs from BSI
• Organisation for Economic Co-operation and Development, Directorate for Science, Technology and Industry

Up-to-date details of the organizations certified to BS ISO/IEC 27001 may be found at www.iso27001certificates.com/

Top

News and articles about Information Security issues, benefits to businesses and consumers, and on certification, can be read in Business Standards, the on-line magazine for businesses. For items in non-current issues, use the search function on the magazine's home page.

<< back