Question:

We are a financial institution that would like to start the process of being compliant with ISO17799 Information Security Management System ISMS. What would be the proper initial steps recommended for such process in terms of training, preparation, building security policies, etc.?

Response from Rebecca Herold:

It is first of all important to understand that there is currently no certification or registration under ISO 17799. There is formal registration under BS 7799, the forerunner of ISO 17799. ISO 17799 is the Information Technology Code of Practice for Information Security Management. It establishes 127 controls under what was just recently (this June) updated to 11 headings. BS 7799-2:2002 is the Information Security Management Systems Specification With Guidance For Use. It provides for the implementation of ISO 17799. BS 7799-2:2002 is currently the only internationally recognized security standard under which your ISMS can be formally registered. An organization can have an ISMS that conforms to BS 7799 as demonstrated by an internal or external analysis that is less formal than that required for registration. However, ISMS registration under BS 7799 is governed by international standards and requires a formal audit process.

Creating a BS 7799-confomant ISMS is a good thing for not only information security, but for business as well. A few of the information security benefits include:

• Establishes a holistic, quality management-based security and privacy program that also provides verifiable evidence
• BS 7799 registration is quickly recognized worldwide as a security and privacy differentiator
• When implemented properly and successfully, an ISMS will significantly limit security and privacy breaches that can cost millions (e.g., lost information, fines/penalties, downtime, internal/external threats, consumer driven litigation, and so on)
• Provides a documented and repeatable process for information security and privacy corporate governance
• Ensures that security and privacy is built into all levels of an organization and that all employees are educated on security and privacy as they relate to the business
• Reduces operational risk by mitigating vulnerabilities

The business impacts are also significant:

• Brings organizations more confidently and demonstrably into conformance with legal, regulatory, and statutory requirements, such as HIPAA, Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley, California SB1386, 21 CFR Part 11, the EU Data Protection Directive, Canada's PIPEDA, as well as many other laws, regulations and industry best practices
• Provides an organization with market differentiation resulting from a more positive company image and external goodwill parameters, and could very well positively affect the asset or share value of the organization
• Demonstrates credibility for, and trust in how, the organization protects information, leading to increased satisfaction and confidence of stakeholders, partners, and customers
• Reduces liability risk and demonstrates due diligence. Can also lower business insurance premiums.
• Improves business continuity by minimizing internal and external risks
• Demonstrates management support for internationally accepted security and privacy principles and practices

Here at a very high level are the initial recommended steps to build an ISMS that conforms to BS7799/ISO17799:

1. Become familiar with ISO 17799 and BS7799. A new version of ISO 17799 was just released at the beginning of June.
2. Determine the scope for which you want to base your ISMS. Many organizations try to cover the entire organization, but quickly find the scope is far too large to realistically handle. Identify the key areas you want to cover, address them, and then you can always expand your ISMS out to include other areas.
3. Determine your information security and privacy regulatory, legal, industry, and self-imposed policy requirements.
4. Select and validate the controls you need for your program. Evaluate your security and privacy policies, procedures, standards, guidelines, and plans. Evaluate your existing security and privacy activities, systems and tools.
5. Perform a high-level gap analysis to see where your greatest weaknesses exist.
6. Create a high-level ISMS compliance road map to close the gaps.
7. Create a detailed ISMS design and implementation plan to support the road map.
8. Determine resources for performing the implementation steps and identify where you will need outside help, if applicable.
9. Launch training and awareness throughout the organization for the ISMS. This will be an ongoing process as training and awareness requirements change as the ISMS matures.

There are different approaches to BS 7799 conformance. The one that you choose will depend upon your goals. In order to claim that your ISMS conforms to BS 7799, you must rely on an audit process. This audit process may be formal or informal. The goal of a formal audit is to register your ISMS under BS 7799. This is called a Registration Audit.

• You may choose to use internal resources to demonstrate that your ISMS conforms to BS7799. In the international standards world of quality management, this is known as a 1st Party Audit since you are auditing with your own personnel.
• You may choose to have a qualified, independent third party show that your ISMS conforms to BS 7799. In the international standards world of quality management, this is called a 3rd Party Audit since the auditor is not part of your organization. A goal of a 3rd Party Audit can be formal registration under BS 7799. Of course, you might choose to use an independent, outside consultant to check to see if your ISMS conforms to BS 7799. However, it is a Certificate of Registration that results from a formal Registration Audit that has the weight of the international standard.
• You may also choose to have qualified personnel audit part or all of your supply chain. In the international standards world of quality management, this is called a 2nd Party Audit since you are auditing second parties (your suppliers.) This is a vehicle by which business partners can show that they have appropriate and required controls on the information with which you've trusted them. They objectively demonstrate that their ISMS's conform to BS7799. Of course, you may retain the services of independent, third party auditors for this purpose.

Keep in mind many security incidents have actually been the result of mistakes and poor practices by third party vendors who were performing information activities for other companies; it was the primary company (e.g., Bank of America, Time-Warner and so on) that actually made the headlines, and whose business was most impacted. Accordingly, requiring business partners to conform to BS7799 helps to protect your organization from the business partner security and privacy inadequacies.

Each country has a limited number of organizations that register conformance with international standards such as BS7799. For example, Bureau Veritas Quality International (BVQi) and the British Standards Institute (BSI) are two organizations that operate in the US and internationally to register ISMS's. These registrars can provide you with lists of consultants who are qualified to assist organizations with their ISMS activities. It is important to use qualified auditors.

It is important to note that bringing an ISMS into registered and certified conformance with BS7799 is no small activity; it is a rigorous process. You cannot simply use BS7799 as a checklist. After familiarization with the standard, the most important step is to identify the scope of the ISMS that you want to register. There are some good guidance documents for estimating times for performing such a conformance certification based upon scope at the BVQi and BSI websites.

From : www.informationshield.com