Security and Compliance 2

BS7799 Contents of Part 1

• Scope

• Terms and definitions

• Security policy

• Security organisation

• Asset classification and control

• Personnel security

• Physical and environmental security

• Communications and operations management

• Access control

• Systems development and maintenance

• Business continuity management

• Compliance

BS7799 Contents of Part 2

• Scope

• Terms and definitions

• Information security management system requirements

• Detailed controls

1. Security policy

2. Security organisation

3. Asset classification and control

4. Personnel security

5. Physical and environmental security

6. Communications and environmental security

7. Communications and operations management

8. Access control

9. System development and maintenance

10. Business continuity management

11. Compliance

Critical Success Factors

• Policies, Objectives and Activities that reflect business objectives

• Appropriate resources

• Consistency with culture

• Visible support and commitment from management

• Clear understanding of the security requirements and risk

• Effective marketing of security to all employees

• Distribution of information to all partners, suppliers, employees and contractors

• Providing appropriate training and education

• Key performance indicators

Selecting Controls

• Identify business objectives

• Identify business strategy

• Identify security strategy

• Identify and implement controls

Key controls

1. Information security policy document

2. Allocation of security responsibilities

3. Information security education and training

4. Reporting of security incidents

5. Virus controls

6. Business continuity planning

7. Control of proprietary software copying

8. Safeguarding of company records

9. Compliance with data protection legislation

10. Compliance with the security policy

Certification requirements for BS7799 /ISO 17799

Organisation shall establish and maintain a document ISMS

• Management framework

1. Risk management approach

2. Identify control objectives and controls

3. Documented evidence: - evidence of the actions undertaken - a summary of the management frame

 work - the procedures adopted to implement the controls - the procedures covering the management 

and operation of the ISMS

In 2005 International Organization for Standardization released a specification, ISO 17799 in 2005

 which establishes guidelines and general principles for initiating, implementing, maintaining and 

improving information security in an organization. They intended to be implemented to meet the 

requirements identified by a risk assessment.

Management frame work

• Define the policy

• Define the scope of the information security management system

1. Characteristics of the organisation

2. Location

3. Assets

4. Technology

• Undertake risk assessment

1. Threats

2. Vulnerabilities

3. Impacts

4. Degree of risk

• Manage the risks

• Select control objectives & controls

• Prepare statement of applicability

1. Selected control objectives and rationale

2. Exclusion of controls and rationale

Applying BS7799/ISO17799

• A Practical Approach

• Gap Analysis

• Action Planning

• Risk Assessment and Treatment

• Developing an improvement programme

• Effective Statement of Applicability

• Planning and Costing a BS7799/ISO17799 project

• ISMS (Information Security Management System)

• Audit

I wish You Great Success.