Search in ISMS Guides


Tuesday, August 28, 2007

BS7799 How it Works


The standard effectively comes in two parts:

  • ISO/IEC 17799:2000 (Part 1) is the standard code of practice and can be regarded as a comprehensive catalogue of good security things to do.
  • BS7799-2:1999 (Part 2) is a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements.

Please note that certification is against BS7799-2:1999.

Part 1: The Code of Practice

ISO/IEC 17799:2000 defines 127 security controls structured under 10 major headings to enable readers to identify the particular safeguards that are appropriate to their particular business or specific area of responsibility. These security controls contain further detailed controls bringing the overall number somewhere in the region of 500+ controls and elements of best practice.

The standard stresses the importance of risk management and makes it clear that you do not have to implement every single guideline; only those that are relevant. The scope of the standard covers all forms of information, including voice and graphics, and media such as mobile phones and fax machines. The new standard recognises new ways of doing business, such as e-commerce, the Internet, outsourcing, tele-working and mobile computing.

Part 2: The Management Standard

BS7799-2:1999 instructs you how to apply ISO/IEC 17799 and how to build an ISMS. It defines a six step process, see Figure 1.

Information Policy

It invites you to stand back and think about all of your information assets and their value to your organisation. You ought then to devise a policy that identifies what information is important and why. From a practical point of view, it is only that information with a some significant value that should be of concern.


Excluding low value information allows you to define the scope of your management concerns. You may discover that your concerns pervade your organisation as a whole. In this case you will need to regard all of your information systems and their external interfaces -IT and electronic forms of communication, filing cabinets, telephone conversations, public relations and so on, as being in scope. Alternatively, your concerns may focus onto a particular customer-facing system. For example, an interesting extreme is the application of BS7799-2:1999 to the development, manufacture and delivery of a security product.

BS7799 is applied in 6 steps.  Please download to see

Figure 1 - The major steps towards BS7799-2 compliance

Risk assessment

Now you know what information is in scope and what its value is, your next move should be to determine the risk of losing that value.

Remember to consider everything. At one extreme you need to consider the complexities of technology; at the other you need to consider business forces in terms of advancing technology and enterprise, as well as the ugly side of industrial espionage and information warfare.

Risk management

You then need to decide how to manage that risk. Your forces certainly include technology, but don't forget people, administrative procedures and physical things like doors and locks and even CCTV. Don't forget insurance. If you can't prevent something from happening, maybe you can discover if it does happen and do something to contain it or otherwise reduce the danger. In the end, you will of course, need an effective continuity plan.

Choose your safeguards

You will then need to choose your "safeguards", i.e. the ways you have selected to manage the risk. BS7799-2:1999 lists a wide variety of such measures, but the list is not exhaustive and you are free to identify additional measures as you please. The list is drawn 1:1 from ISO/IEC 17799:2000.

Statement of applicability

You are required to identify all of your chosen security controls and justify why you feel they are appropriate, and show why those BS7799 controls that have not been chosen are not relevant. Clearly you could decline every BS7799 offering and invent your own. This is not a problem - it is allowed. However, you need to justify it - as much for your own benefit as anyone else's.

The Information Security Management System (ISMS)

The standard requires you to set up an Information Security Management System (ISMS) to make this happen. You should really, of course, set this up in the first place, but standards don't tell you how to do things, merely what you should achieve. Click here [offsite link] for our ideas.

Certification schemes

Certification schemes are being established in many parts of the world. It is therefore useful to reveal who the players are and what is going on. Have a look at Figure 2.

The European co-operation for Accreditation document EA7/03 provides guidance to National Accreditation Bodies for the accreditation of Certification Bodies wishing to assess ISMSs, e.g. against BS7799-2:1999. The various National Accreditation Bodies around the world operate a "mutual recognition" process that allows certificates awarded in one country to be accepted by the Accreditation Body of another.

Diagram showing the relationship between the BS7799 certification scheme players

Figure 2: Relationship between scheme players

In order to be awarded a certificate, your ISMS will be audited by a BS7799 assessor. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as BSI Assessment Services Limited and Det Norske Veritas).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Other Useful Documentation

BSI has published a useful set of supporting documentation to help apply ISO/IEC 17799:2000 and BS7799-2:1999. They are:

  • Information Security Management: An Introduction (PD3000)
  • Preparing for BS7799 Certification (PD3001)
  • Guide to BS7799 Risk Assessment and Risk Management (PD3002)
  • Are you ready for a BS7799 Audit? (PD3003)
  • Guide to BS7799 Auditing (PD3004).
  • Selecting BS7799 Controls (PD3005).

PD3000 provides an overview of the scheme for accredited certification and forms a useful a preface to other guidance documents in the scheme.

PD3001 provides guidance to users of BS7799 and gives detailed information in readiness for assessment against the Accredited Certification Scheme It offers industry accepted best practice methods for providing and demonstrating the evidence required by an assessment auditor.

The guide to BS7799 Risk Assessment and Risk Management (PD3002) describes the underlying concepts behind BS7799 risk assessment and risk management, including the terminology and the overall process of assessing and managing risks. It is based on the ISO/IEC Guidelines for the Management of IT Security (GMITS).

Are you ready for a BS7799 Audit? (PD3003) is a pre-certification assessment workbook for organisations to assess and record the extent of their compliance with the control requirements in BS7799: Part 2 and to aid in their preparations for a certification audit. This is a useful starting point for anyone considering BS7799 for the first time. Merely complete the workbook, answering “Yes”, “No” or “Partly”, and explain why. The completed workbook can also serve as your Statement of Applicability.

The guide to BS7799 Auditing (PD3004) provides general information and guidance on auditing ISMSs. It was effectively the BS7799 “audit methodology” for BS7799:1995. Although recently updated for BS7799:1999 Part 1, it probably has the wrong focus now, as it should perhaps concentrate on the management of the ISMS which it does not.

In order to buy a copy of the standard, please contact the British Standards Institute. That will give you the address, phone numbers, e-mail for ordering etc.

For further information visit our pages on risk management.[offsite link]
Source :

ISO 27001: ISMS Highlights

Clarifies and improves existing PDCA process requirements
ISMS scope (inc. details & justification for any exclusions)
Approach to risk assessment (to produce comparable & reproducible results)
Selection of controls (criteria for accepting risks)
Statement of Applicability (currently implemented)
Reviewing risks
Management commitment
ISMS internal audits
Results of effectiveness and measurements
(summarised statement on ‘measures of effectiveness’)
Update risk treatment plans, procedures and controls

Succession Planning - A Bigger Solution Than You Might Think

by Martin Haworth

Many companies make it a policy to "hire from within," which is a way of saying that a person can start out on the ground floor of a company and eventually work his or her way up and possibly someday become the company's CEO.

One way of keeping this process possible is by a method called "Succession Planning." Succession Planning is the way a company both promotes its employees and makes sure that it is never caught in the lurch, with a gaping hole in the system.

Succession Planning Benefits

Holes in the hierarchy can create disastrous effects in a company's productivity. This is why it's a good idea to hire from within, so that the only sudden openings are in the lower positions that are easily filled.

One of the aspects of succession planning, involves looking over each position periodically and evaluating the person who holds it and the person who is "next in line" - and making sure that everything is running smoothly that both the person currently holding the position is working well and that the person poised to take over could transition smoothly and minimize disruption.

This is a process that typically takes place in the higher levels of management and is important because the time and effort that goes in to training and grooming a successor can take years.

Senior Management Succession Planning

Examples of Succession Planning include the replacement of Jack Welch, the former Chief Executive Officer of General Electric. Prior to his retirement the Board of Directors at General Electric went through a lengthy process of evaluating possible successors.

Succession planning often involves recruiting people and then working with them to develop their skills and making sure that they are ready to advance.

It also involves making sure that the recruit knows what the company's goals are, and involves active planning to keep that recruit happy. A happy recruit is not likely to leave the company suddenly.

Succession Planning Maintains Strategic Direction

Another aspect of succession planning is making sure that the higher powered executives within the company know what the goals and ambitions of the company are, and making sure that everyone is up to date on hiring practices and market trends in their industry.

By keeping the company competitive, the executives won't have to worry about whether or not they are still relevant.

Succession Planning is important to the overall health of an organization and care should be taken in the hiring process to make sure that all employees hired or recruited can be groomed and trained to move up within the company's ranks.

By hiring from within, the company gives people an incentive to want to work there. It also ensures that the company's public reputation stays uniform and competitive.

A competitive company is much more likely to be successful than one that doesn't make an effort to compete at all.

About the Author

(c) 2007 Succession Planning Toolkit. Want a free e-course? Then sign up with a blank e-mail to For more on developing and build an easy to run business, you need to develop your people well. You can find out how, right here, on Martin Haworth's fascinating website at

Article Source :

Management Performance

by Paul Abbey

It's important to monitor your management performance, keeping on top of this can really increase your productivity and create an excellent working atmosphere. Management performance needs to be strong, and by consistently knowing how your team is doing will ensure that everything is going to be right on schedule.

You want to make sure that your team leader needs to fit into specific guidelines. You want them to have excellent networking skills, good control of emotion, and excellent people management skills. It's crucial that they are able to create a good working environment. If you select someone with these important attributes then there is an excellent chance that everything will run smoothly. But this doesn't mean that you shouldn't constantly monitor their performance. It's hard to find good employees, and there are other alternatives to paying a high salary to someone when you can purchase a single piece of software that can complete this job for free. So implementing a good management performance software into your company is an excellent way to know who is working to the best of their ability and who is not.

Here are some things that a good management performance software can do for you. And the best part of it is that you can monitor everything right from the comfort of your own desk.

It will help you to delegate certain employees to designated tasks. And it will give them certain requirements, and as they complete each stage they will log check it within the software and you will easily be able to check on them by checking the program. This is a great way to track their progress and quickly see who is not working up to their requirements.

This simple to use piece of software is one of those you things that you thought you could live without, that is until you use it. Project managing software is a very valuable asset to any company. It can save you money in many different ways. And if you understand the value of great management performance then you will understand the value of using this type of software in your business no matter what type of business that you may have.

I highly suggest that you begin learning more about how to improve your management performance and you will discover that this is going to be the answer to your prays.

About the Author

P Abbey owns and operates Management Performance

Article Source :