Home  BS7799 and ISO 17799 Certification
|
What is BS7799 and ISO 17799 Certification? |
|
Security is one of the most important issues faced by the software companies of today. It is generally felt that there should be some way to judge whether the security provided by a firm is of international standard or not. Sound information security is the cornerstone of sensible corporate governance.
The emergence of an international standard to actually determine the information security environment of a company was, inevitable. BS7799/ISO 17799 certification just performs this very task. If a company possesses this certification it means that the company pursues policies and maintains standards that make it relatively information secure as compared to companies who don't have this certification. And it is always wise to work with firms who are in a better position to secure information both theirs as well as yours.
What is BS7799 / ISO 17799?
These standards were developed to create a common information security structure. It covers technical, administrative as well as legal aspects of a firm. These standards include ten check points, that enumerates the best practices and procedures a company must implement to manage its computer security well. The principles laid out in BS 7799 / ISO 17799 if implemented makes it possible to detect, analyze and reduce information risks.
The BS7799 / ISO17799 standard contains two parts:
- ISO IEC 17799 Part 1: The Code of practice for information security
- BS7799 Part 2 (BS7799-2): Information security management
British Standards Institution (BSI) developed this standard. It was adopted through a special fast track procedure by the JTC 1 (Joint ISO/IEC Technical Committee). It also got approval by the national member institutes of ISO and the IEC.
ISO/IEC 17799 is presented in the form of guidelines and recommendations. It was after consultations with big business houses that these guidelines came into being. The 36 security objectives and 127 security controls contained in ISO/IEC 17799 are divided among ten domains.
ISO/IEC 17799 (Part 1)
- Security Policy - Provide guidelines and management advice for improving information security.
- Organizational Security – Facilitate information security management within the organization.
ISO/IEC 17799 (Part 1)
- Asset Classification and Control. Carry out an inventory of assets and protect these assets effectively.
- Personnel Security - Minimize the risks of human error, theft, fraud or the abusive use of equipment.
- Physical and Environmental Security - Prevent the violation, deterioration or disruption of industrial facilities and data.
- Communications and Operations Management - Ensure adequate and reliable operation of information processing devices.
- Access Control - Control access to information.
- Systems Development and Maintenance - Ensure that security is incorporated into information systems.
- Business Continuity Management - Minimize the impact of business interruptions and protect the company's essential processes from failure and major disasters.
- Compliance - Avoid any breach of criminal or civil law, of statutory or contractual requirements, and of security requirements.
BS 7799-2 (Part 2)
This part includes conditions for information security management. It has ten domains and 127 control of the ISO 17799 standard. This part is concerned with the development, implementation and maintenance stages of an information security system. Organizations applying for certification are evaluated according to this document.
An organisation that bases its ISMS on the provisions in BS 7799 can obtain certification from an accredited body. This certification is a guarantee to its partners that its system both complies with the standard and answers the need for security measures as determined by its own requirements.
It is important to understand that an organisation that obtains certification is considered ISO 17799 compliant and BS7799-2 certified.
Contact Comsys for more information.
|
|
|
|
