Phoenixlogin.com


    BS 7799

 

 
 

 

 



Download Questionnaire

   ISO/IEC27001:2005(BS7799)                                                                                                            
                                                                                                                            go to bottom

   INFORMATION SECURITY MANAGEMENT SYSTEMS

   Introduction
   Information Security Management Systems are used to reduce the risk of sensitive information being misused, damaged or falling into the wrong hands. In the current climate, many people focus on information stored on computer systems but it is important for organisations to consider all forms of confidential information, including paper records and even conversations. 

   Breaches of security can cost thousands of pounds and have even been known to force companies to cease trading. Therefore, positive steps need to be taken to protect the systems that are in place to store and share information.

   BS 7799 – The Standard for Information Security Management

   Part One of BS 7799 is a Code of Practice, based on the information security practices of blue chip    organisations. It contains 10 sections and 10 key controls, which are either essential requirements or    considered to be fundamental building blocks for information security. 

   Many organisations have used the recommendations set out in Part One as a means of implementing  effective information security management procedures.

   BS 7799 and c:cure – Information Security Certification Schemes
 
   Part Two of BS 7799, published in April 1998, is used as the basis for a formal certification scheme. It specifies requirements for security controls to be implemented according to the needs of individual organisations, and contains over 100 controls derived from and aligned with the objectives and controls in Part One.

   A DTi-appointed, independent scheme manager operates the c:cure scheme. Certification requires  implementation of the security controls in BS 7799, based on a risk assessment of the value placed on an organisation's information and assets. The c:cure scheme also requires use of independent, IRCA registered c:cure auditors.

   Certification to BS 7799 or c:cure provides a benchmark for the protection of information being stored and shared. It promotes mutual trust between people and companies sharing information and opens new avenues of business with security conscious clients, by providing independent verification that appropriate controls are in place. The requirements and their benefits are as follows:

Requirement
Benefit
Information Security Policy
Companies are required to set out a policy specifying the level of security that they wish to implement.


A target for an effective security system is created at the outset.

Security Organisation
The structure of the organisation's security must be clearly mapped out.


Internal and external security requirements can be identified, monitored and controlled.

Asset Clarification and Control
Information is assigned a value, reflecting the impact its loss might have on the organisation.


Levels of security, appropriate to the value of the information protected, can be implemented.

Personnel Security
Staff must be trained in relevant areas that support the security policy (identifying breaches of policy, staff vetting, confidentiality agreements and individual responsibilities for specific tasks).


Security checks can be carried out on a regular basis, by everyone in the organisation.

Physical and Environmental Security
The safe-keeping of information, in all the environments where it is used or stored, must be monitored and controlled.


The risk of losing information through fire, burglary, flood etc. is minimised.

Computer and Network Security
Documented procedures must show that current and new information is secure from loss, corruption or disclosure.


An on-going security programme is in place to protect electronic information.

System Access Control
Particular emphasis is placed on those operating the in-house system and the means by which entry to the system is gained.


Unauthorised access to information can be controlled.

Systems Development and Maintenance
All new systems must be tested and controlled away from the live environment.


‘Back door' access to current information via a new system is prevented.

Business Continuity Planning
A business continuity plan must be prepared and updated to assess security risks within current and revised working environments.


Awareness of all potential security hazards can be achieved and controlled.

Compliance
The security policy must be audited to ensure that it complies with legislative and regulatory requirements.


The risk of prosecution for non-compliance is minimised.

   Gaining Certification
   The process for gaining BS 7799 or c:cure certification is similar to that of gaining certification to other
   management system standards.

   NQA is accredited to provide certification to BS 7799 and c:cure. For further information, contact your
   Regional Office. If you have any queries please contact your NQA India office where the staff will be
   more than happy to help you or e-mail: enquiries@nqaindia.com
                                                                                                                                   go to top

 

 site designed & developed by www.phoenixlogin.com

© NQA 2004