This page offers a brief overview of the BS 7799 information technology security standard. Rycombe offers a number of services to companies undertaking the route to BS 7799 compliance. See the bottom of this page for details, or Contact Us for more information.
BS 7799 is an internationally recognised standard for information security that will enhance your reputation and give you and your customers confidence in your organisation's information security systems.
|Table of Contents|
|What is information security?|
Information exists in many forms: paper, stored electronically as documents, photos, spoken word or video, and it is key to almost every enterprise and needs to be protected.
Information security has three aspects:
With BS7799, information security comes from implementing controls (policies, practices, procedures, organisation structures and software functions) to meet the security objectives of the organisation.
|Need for information security|
Most organisations now depend on their information systems in order to operate. This can be a weakness if these systems are vulnerable. Threats and vulnerabilities can come from a number of sources, including but not restricted to: fraud, vandalism, fire, flood and the internet (hacking, viruses, denial of service attacks).
|Requirements of an information security system|
Many systems are not designed to be secure and even if they are so designed, information security cannot be achieved through technical means alone. For instance, distributed systems and internetwork computing make effective access control harder to achieve. Technical means must be supported by management and procedures. Every member of an organisation that uses information should be familiar with the controls that affect them. Suppliers and customers may also need to be part of the system.
It should be noted that here as elsewhere, information security controls are cheaper if implemented at the requirements or design stage rather than retrofitted on to an existing system.
|What are your security requirements?|
Requirements can be derived from a number of sources:
In assessing risks it is important to be systematic. In each case consider the damage likely to result from a security failure, and the likelihood of that failure occurring given your current threats and vulnerabilities and the controls already in place.
Risk assessment is therefore the consideration of the consequences of each possible failure in relation to the likelihood of that failure occurring. It is also essential to repeat risk assessments periodically to take account of changes in the way the business operates, any new threats and vulnerabilities that may arise, and to confirm that your controls remain effective.
Once the security requirements are known, it is then necessary to select a set of controls to ensure that risks are managed.
Where to start
The following controls can be thought of as a good set of controls to start with, made up of a group to satisfy legislative requirements and a group that represent common best practice for information security.
Required by legislation:
Common best practice:
Factors Crucial to Success
Once you have your selected controls in place, you can undertake an external audit and become certified against the standard. This has the advantage that you can have confidence that you are in control of information security in your organisation and that as a result; this can reassure and comfort you, your trading partners, customers and stakeholders.
How does Rycombe fit in?
We have over ten years experience in information security certification and consultancy. We provide a cost effective service tailored to the individual needs of your organisation, and can work on a fixed price or time and materials basis. Depending on your requirements, we can hand-hold you through the whole process, performing risk assessment, writing policies, developing controls and training staff. Alternatively, we can perform smaller tasks as needed, including auditing your information security management system, performing a vulnerability analysis on your information security system, or whatever else you may need from us. The best thing to do is to contact us and discuss your situation and we can produce a proposal to match.
BS7799 is a standard that was written and maintained by the British Standards Institute, and they provide comprehensive information on the standard as well as where to obtain it from. In addition, the BSi can certify you against the standard.