Search in ISMS Guides


Sunday, September 23, 2007

BS 7799 Certification

In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.

The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.

In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.

In this final session we would attempt to understand the structure and steps involved in certification for BS7799.

A quick recap

Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:

ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"

BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.

Please note that certification is against BS7799-2:1999.

In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Domains on which one would be assessed:

As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:

Security policy

Security organisation

Asset classification and control

Personnel security

Physical and environmental security

Communications and operations management

Access control

Systems development and maintenance

Business continuity management


Statement of applicability

BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.

You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.

Preparing oneself for Certification:

The traditional formula of PLAN DO CHECK and ACT (PDCA CYCLE) works well with BS- 7799 too and this is a good place to either start or review the progress of the implementation team.


While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.


While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.

Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.


Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.

The audit team would check for appropriate controls and evidence of implementation.

For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.

Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.


After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.

Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.

Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.

Creative techniques like designing

posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.

The 4 Step method of Certification

The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.

We now come to Specifics of Certification Process

Step One

Desktop Review:

All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.

One important check on documentation will be its validity and relevance to BS7799 controls.

The following documents needs to be presented

ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.

Step Two

Technical Review

The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.

The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.

Step Three

Internal Audit

The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.

This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.

Step Four

External Audit- Certification

Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.

The company consultants and internal team would not be allowed to be part of the audit team.

They can assist and help auditors find relevant material.

The auditors check for documentation and objective evidence with the following intention.

  • Are records Correct and Relevant?
  • Are polices Known and Tested?
  • Are policies Communicated?
  • Are controls Implemented?
  • Are Polices Followed up?
  • Are preventive Actions taken?

The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.


After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.

To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:

  • Heighten security awareness within the organisation
  • Identify critical assets via the Business Risk Assessment
  • Provide a structure for continuous improvement
  • Be a confidence factor internally as well as externally
  • Enhance the knowledge and importance of security-related issues at the management level
  • Ensure that "knowledge capital" will be "stored" in a business management system
  • Enable future demands from clients, stockholders and partners to be met

Recommended Reading

  • Information Security Management: An introduction (PD3000)
  • Preparing for BS7799 Certification (PD3001)
  • The Guide to BS7799 Risk Assessment and Risk Management (PD3002)
  • Are you Ready for a BS7799 Audit? (PD3003)
  • Guide to BS7799 Auditing (PD3004)
  • Guide on selection of BS 7799 controls (PD3005)
  • BS7799 : Part 1: 1999 Code of Practice for information security management
  • BS7799 : Part 2: 1999 Specification for information security management systems
  • EA Guidelines 7/03

BS7799 Interpretation Guide (Free Download):

Det Norske Veritas (DNV) is an independent autonomous foundation with the objective of safeguarding life, property and the environment. Established in 1864, DNV provides an extensive range of technical services to the land, offshore and marine industries worldwide. The organization comprises of over 300 offices in 100 countries, with a total of 5,500 employees of 75 different nationalities.

DNV started their operations in Region India in 1972 and have established itself as a Leading Classification Society. DNV has been providing Classification, Certification, Consultancy and Verification Services for the Marine, Offshore and Land based process industries ever since both for Public and Private Sectors.

DNV is accredited in 21 countries for the Certification of Quality Management Systems and in 14 countries for Environmental Management System and is a leading Certification Body in India for both Quality & Environment Management System Certification having issued over 2500 certificates under ISO 9000 Standards and over 250 certificates under ISO 14000 Standards. DNV, in India, is also involved in Tick-IT, QS 9000, BS 7799, Risk Based Inspection (RBI), OHSMS, SA 8000 Systems Certification and CE Marking.

Key advisory services include Risk / Reliability Assessment and Loss Control Management Services. DNV is recognized by the Chief Controller of Explosives both as an Inspection Authority and Competent Person and DNV is also approved by Indian Boiler Regulations (IBR) as Competent Inspection Authority in 22 countries world-wide.

For comments and questions on this paper please write to:

Source :

Information Security Principles (ISO/IEC 17799)

Security policy
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies

Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts

Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection

Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy

Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism

Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse

Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job

Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled

Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters

Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts

Source :