Search in ISMS Guides


Thursday, January 10, 2008

BS7799-2 - the ISMS concept

An idealised structured for an ISMS is shown in opposite. It shows the traditional approach to risk management augmented by the addition of a new feedback loop. In scoping the problem, BS7799-2 implies an "information-centric" view of the world, to avoid the trap of failing to take account of less obvious vulnerabilities such as people, cell phones and laptops. It further implies information policies that clearly identify the business priorities concerning information, and why, and in addition, risk assessments that identify what networks really are, not what people think they are!

Diagram of the original (1999) concept of an ISMS showing that a feedback loop is required from the step called "managing the risks" to the previous step called "perform the risk assessment".  Dr. Brewer referred to the original ISMS specification as a weak specification because this feedback loop was missing.  The 2002 revision (as in the case of the 2005 ISO/IEC standard) this feedback loop is included by adoption of the Deming cycle (plan-do-check-act).

BS7799-2 requires management to identify vulnerabilities and select the safeguards with a priority that matches the business priorities specified in the security policy. Reiteration is encouraged, choosing alternate safeguards until management is satisfied with the residual risks and costs involved. Once the chosen safeguards have been implemented, the ideal ISMS monitors their effectiveness; it does not assume that they will work as intended. Management should regularly re-appraise the situation. Even if nothing is supposed to have changed, the risk assessment should be regularly repeated (this is the new feedback loop). Management should assume, for example, that their networks have changed - most networks do with time! In any case, doubtless someone will have identified new vulnerabilities. Of course, if the business requirements have changed, there will be a need to re-scope the problem and revise the security policy accordingly.

Source :

No comments: