1

BS 7799 EXPLAINED FACTSHEET

It is currently divided into two parts:

● Part 1. Contains guidance and explanatory information

● Part 2. Provides a model that can be used by businesses to setup and run an effective Information Security ManagementSystem (ISMS)

The two parts are formally published as:

● ISO/IEC 17799 Part 1 Code of Practice for Information Security

● BS 7799-2:2002 Specification for Information SecurityManagement

For further information on information security standards, seeour Existing Standards page.

In this section, you can learn more about Part 1 of the standard.See information on:

● Information security management systems

● Understanding BS 7799 part 1

● BS 7799 certification

● Ongoing requirements for BS 7799 compliance

● What is certified

● Benefits of BS 7799 implementation

● Further information

You may also wish to visit www.bsi-global.com/ or www.iso.ch/to purchase full versions of standards.

WHAT IS AN INFORMATION SECURITY MANAGEMENT

SYSTEM (ISMS)?

What is BS 7799? BS 7799 is the most influential, globallyrecognised standard for information security management.

The essence of BS 7799 is that a sound Information SecurityManagement System (ISMS) should be established withinorganisations. The purpose of this is to ensure that anorganisation's information is secure and properly managed.

UNDERSTANDING BS 7799 – PART 1

BS 7799 is divided into ten main sections:

1. Security Policy

Explains what an information security policy should coverand why each business should have one

2. Organisational Security

Explains how information security management is organised

3. Asset Classification and Control

Considers information and information processing equipmentas valuable assets to be managed and accounted for

4. Personnel Security

Details any personnel issues such as training, responsibilities,vetting procedures, and how staff responded to security incidents

5. Physical and Environmental Security

Physical aspects of security including protection of equipmentand information from physical harm, as well as physicalcontrol of access to information and equipment

6. Communications and Operations Management

Examines correct management and secure operation ofinformation processing facilities during day-to-day activities

7. Access Control

Control of access to information and systems on the basis ofbusiness and security needs

8. System Development and Maintenance

Designing and maintaining systems so that they are secureand maintain information integrity

9. Business Continuity Management

Concerns the maintenance of essential business activitiesduring adverse conditions, from coping with major disastersto minor, local issues

10. Compliance

Concerns business compliance with relevant national and

2

BS 7799 EXPLAINED FACTSHEET

international laws, professional standards, and anyprocesses mandated by the Information SecurityManagement System (ISMS)

WHAT DOES BS 7799 CERTIFICATION MEAN?

Certification to BS 7799 is a formal acknowledgement that yourInformation Security Management System (ISMS) reflects yourorganisation's information security needs.

HOW IS CERTIFICATION OBTAINED?

Organisations can be formally certified for BS 7799 by a UKAccreditation Service (UKAS) accredited body.

A professional auditor completes an independent formal reviewof the Information Security Management System (ISMS). Theaim of the review is to confirm that the ISMS is both effectiveand appropriate.

The auditor will check for:

1. Completeness. Have all parts of BS 7799 been covered?

2. Relevance. Is the interpretation of BS 7799 relevant for theorganisation?

3. Implementation. Is the Information Security ManagementSystem (ISMS) being followed?

The auditor will require a A Statement of Applicability (SOA).This is a document that lists all requirements in BS 7799 Part 2,with:

● an explanation of how the organisation complies with them

● an explanation and justification of any deviations from them.

3

BS 7799 EXPLAINED FACTSHEET

WHAT ARE THE ORGANISATION'S ONGOING REQUIREMENTS

FOR BS 7799?

1. Self Audits

Each organisation must have a schedule of audits for thewhole Information Security Management System (ISMS) overa reasonable period of time.

This involves checking that staff are actually following theISMS, and can prove it with appropriate records.

The audits are internal, usually involve completing a standardchecklist, and are conducted by the organisation's own staff,who are not required to have UKAS accreditation.

Where a failure to follow the ISMS, or a security breach isdetected, a report should go through the normal managementstructure, described in organisational security.

The importance of self-monitoring is that the organisation canreact quickly to problems in its own procedures - sometimesthe procedures must be improved to take account of reality

2. Accredited Audits

After the initial audit, the certification body makes a reviewevery six months

3. Statement of Applicability (SOA)

This is a living document and must be kept up to date. Itshould always reflect the current status of the organisation'sInformation Security Management System (ISMS)

WHAT GETS CERTIFIED?

There are many options for certification. A small scope thataddresses core business functions could be formally certified,but equally, the organisation as a whole could comply with thepolicies and procedures.

Only the formally certified scope of the Information SecurityManagement System (ISMS) would be subject to six monthly reviews.

4

BS 7799 EXPLAINED FACTSHEET

WHAT ARE THE BENEFITS OF BS 7799?

The benefits of using ISO 17799 / BS 7799 are straightforward.Using it well will result in:

● reduced operational risk

● increased business efficiency

● assurance that information security is being rationally applied

This is achieved by ensuring that:

● Security controls are justified

● Policies and procedures are appropriate

● Security awareness is good amongst staff and managers

● All security relevant information processing and supportingactivities are auditable and are being audited

● Internal audit, incident reporting / management mechanismsare being treated appropriately

● Management actively focus on information security and itseffectiveness

It is likely that a number of organisations, including theGovernment, will require suppliers and other partners be certifiedto the BS 7799 before they can be given government work.

This could make compliance (or certification) more of anecessity than a benefit.

Certification can also be used as part of a marketing initiative,providing assurance to business partners and other outsiders.

5

BS 7799 EXPLAINED FACTSHEET

FURTHER INFORMATION

BSI DISC has several publications that are specifically designedto help organisations achieve certification to BS 7799.

See our Existing Standards page for more backgroundinformation and associated websites.

6

BS 7799 EXPLAINED FACTSHEET

For more information on Achieving best practice in your business:

● Visit our website at www.dti.gov.uk/bestpractice

● Call us on 0870 150 2500 to order from our range of free best practice publications or visit www.dti.gov.uk/publications

● Contact your local Business Link adviser by visiting the website atwww.businesslink.gov.uk or calling 0845 600 9 006

Published by the Department of Trade and Industry. www.dti.gov.uk

© Crown Copyright. 04/04