BS 7799 is changing!

Dick Price explains the changing situation in relation to BS 7799. He also aims to dispel one or two myths about the Standard that he has identified whilst training delegates how to implement it.

History and changes

BS 7799, which has been around since the late nineties, comprises two sections i.e:

Part One
BS 7799-1:2000 which is a Code of Practice for Information Security Management

and

Part Two
BS 7799-2:2002 which is currently titled Information security management systems – Specification with guidance for use

Part One became an international standard in 2000, and received the new number of ISO 17799:2000; it was still a British standard, and retained the sub-title of BS 7799-1:2000.

This document has been revised to ISO 17799:2005, and still retains the BS sub-title of BS 7799-1:2005. The revisions have brought the standard up-to-date, although, as with auditing, the basic principles never change. However, ‘it takes into account changes in technology, technical upgrades, compatibility issues and modern day security techniques. Existing controls have been enhanced and revised, and new controls added. It now provides a complete set of guidelines for an effective Information Security Management System (ISMS).’ [BSI]

Please note that this is not a Standard providing certification – it is a Code of Practice, and it is not possible to be certified to a Code of Practice.

Part Two is the certifiable Standard, certification to which demonstrates that the organisation has in place a viable ISMS, in other words, that it is managing information security properly. The exciting part is that this is becoming an international standard, probably from November or December 2005. It will also come under a completely new numbering system and will be called (in full): BS ISO/IEC 27001:2005 (BS 7799-2:2005) Information Technology. Security Techniques. Information security management systems. Requirements.

So, look out for ISO 27001. Until release date, it is available as a final draft standard (FDIS 27001).

Myths and misconceptions

  1. You cannot be certified to ISO 17799; it is a Code of Practice.
  2. You do not become accredited – you become ‘certified’ or ‘registered’ to Part Two. (The certifying auditors are ‘accredited’ by the UK Accreditation Service, or equivalent body elsewhere in the world.)
  3. You do not fit yourself into the Standard – the Standard fits you, whatever size your organisation is.
  4. You do not have to have all the controls suggested in Part One in place to get certified – based on a risk analysis, you compare which ones are applicable to your organisation’s needs.
  5. You do not have to certify the whole organisation at once; you can specify a discrete part of the organisation to be certified.

Conclusion

At a recent E-Crime Congress in London, the word going round after many of the sessions was that unless BS7799 was in place, i.e. that information security was being managed formally by management, then all the additional security mechanisms and approaches would be very much more ineffective.

Organisations are being asked by customers to demonstrate that they are looking after information, that they are trustworthy, and that they comply with relevant laws and regulations. Certification is being looked for on Invitations to Tender, which is affecting, and helping, many smaller organisations.

The fact that BS 7799-2:2002 has become ISO 27001, an International Standard, demonstrates how important management of information security has become on the world stage.

Dick Price QiCA FIIA FCA
Dick has been the IIA-UK & Ireland representative on the
BDD/2 Committee for BS 7799, and is now on the shadow
committee IST/33, which will provide UK input to further
developments of ISO 27001.