Contact Us: +44 (0) 845 070 1750 

Implementing Information Security Standards BS7799 (now ISO 27001) and ISO 17799 (now ISO 27002)

 

BS7799 (BS7799-2:2005), which now has the international number ISO 27001:2005, is the international best practice information security management standard, defining and guiding Information Security Management System (ISMS) development.

 

These BS7799 pages contains everything necessary to help you implement an ISO 27001 (BS7799) Information Security Managment System ('ISMS'), in any organization, in any sector, anywhere in the world. You can also access our specific North American ISO 27001 Information Security Site.

 

 

1. New to information security management and BS7799 (ISO 27001)? Provide the details below so that we can send you a free copy of our BS7799 (ISO 27001)/ISO 27002 Briefing Paper.
   

   
   
   

2. There are two introductory books, both by Alan Calder, that are both worth reading prior to starting an ISMS project:
   
   

   1.  The Case for ISO 27001 is a comprehensive description of the benefits of implementing bs 7799 /ISO 27001. It is designed to help management and the board make an informed decision to go ahead.

   2.  Nine Steps to Success is a high level ISMS implementation overview. It deals with all the critical issues, including how to do it yourself and whether to call in consultants.

   3. Buy both books together and save money.
      
      

3.  The key book for any BS7799 Project Manager is IT Governance: a Manager's Guide to Data Security and ISO 27001/ISO 27002.  It is the world's de facto guidance on ISO27001 project management. It is now in its 4th edition. It is also the Open University's post-graduate information security text book.
   
   
4. It is essential to buy and study the standards themselves.  

   1. ISO 27002:2005 (Code of Practice) on its own

   2. ISO 27001:2005 (ISMS Specification) on its own

   3. BS7799-3:2006 (Risk Assessments) on its own

   4. Special standards kit containing all three of the above standards (at a reduced price).

   5.  There are also two new, clearly written Management Guides to the standards and to implementation that you might find useful. 
      
      

      TRAINING

      
      
      

5. Implementing an information security management system, from scratch, without prior experience, is not easy. Training is essential:

   1. Foundations of IT Security Management, according to ISO 27001, is for people new to information security management ;

   2. The IS0 27001 ISMS Implementation Master Class is a comprehensive, hands-on 3-day course for anyone managing or involved in the project.

   3. Some organizations want and need tailored in-house training delivered as part of their ISMS project, and training services are available to help with that too.

   4. Source appropriate Information Security Qualifications, ranging from CISM and CISSP to CISMP.

   5. Staff training is essential. Elearning is one effective way of delivering appropriate training to staff.

      ESSENTIAL BS7799 (ISO27001) IMPLEMENTATION TOOLS
      
      
6.  An ISO 27001 ISMS Documentation Toolkit is an essential time- and money-saver and will pay for itself within a matter of days.
   
   

7.  Risk assessment is the core competence of information security management. We've found that it is impossible to design and implement an ISMS in an organization of any size without using a specialised information security risk assessement tool such as vsRisk™.
   
   

8. ISO 27001 certification is the objective, and this special Certification Bundle is designed to help you ensure that you're ready to achieve the primary objective of your ISMS project.
   
           CONSULTANCY
   
   

9. Some organizations value outside help to assess their current standing against the requirements of the standard, and to guide them through the process up to certification, and our unique consultancy service - we specialise in fixed price knowledge transfer and certain certification - provides a reliable, cost-effective method of ensuring that you achieve certification.

 

Other information

• The UK Cabinet Office provides very clear guidance to UK public sector organizations on information security and BS7799 (ISO27001) is right at the heart of their recommendations.
• If you have to convert a BS7799-2:2002 ISMS to BS7799-2:2005/ISO 27001:2005, this unique ISMS Conversion Tool is what you need.

The background to the development of  BS7799 and ISO 27002 is described in chapter 3 of the book, "IT Governance: A Managers Guide".  For additional information, you can review these links to ISO 27001 Certification Organisations. There is also now an international ISMS User Group, which reflects the fact that organisations anywhere in the world can seek and gain certification to ISO 27001 through any accredited assessor.

 

The UK DTI/PwC Information Security Breaches Survey 2006 confirms that information security is too important to be left to the IT department - from a corporate governance, Sarbanes Oxley and Turnbull perspective, information security is a critical, direct responsibility for boards and senior managment teams.

 

HISTORY OF BS7799

Originally, BS7799 only had the status of a Code of Practice.  In April 1999, it became a formal two part standard.  Part 1 (the original Code of Practice) of the revised BS7799 standard was re-titled "Code of Practice for Information Security Management" and provides guidance on best practices in information security management.  Part 2, titled "Specification for Information Security Management Systems", forms the standard against which an organisation's own security management systems were to be assessed and certified.

 

BS7799 Part 1 became ISO 17799, then ISO 27002

The BS7799 Code of Practice, Part 1, took the form of guidance and recommendations.  Its foreword clearly stated that it was not to be treated as a specification.  It became internationalised as ISO 17799 in December 2000 and a revised version was issued in early 2005, it was later renamed in 2007 as ISO 27002.  ISO 27002:2005 is the international code of best practice that is increasingly applied by organizations who are seeking a method of implementing an information security management system that will ensure they effectively meet the wide range of regulatory and compliance demands they face today.

BS7799 Part 2, on the other hand, remains a British Standard only and "forms the basis for an assessment of the Information Security Management System (ISMS) of the whole, or part, of an organisation.  It may be used as the basis for a formal certification scheme".  It was revised and the current version was published on 5 September 2002.  It is this document (BS7799-2:2002) that sets out the specification against which an Information Security Management System will be assessed.  Any organisation due for re-certification, after its initial certificate has expired and until November 2005, will need to re-certify to the BS7799-2:2002 standard. Thereafter, as described below, it will need to upgrade its ISMS to meet the requirements of ISO 27001 in time for its subsequent re-certification.

 

2005 versions of the standards

 

ISO/IEC 17799:2000 has been substantially revised and a new version was published in mid-June 2005 as ISO/IEC 17799:2005, and then renamed ISO 27002 in 2007. In spite of the significant re-ordering of controls and general restructuring, BS 7799-2:2002 continued to be the specification for an ISMS until it was replaced in October 2005 by ISO/IEC 27001:2005 (BS7799-2:2005). 

The British Standard underwent fast track internationalisation, under the number FDIS 27001 (it was going to be ISO/IEC 24743, but that project was deleted by ISO). The FDIS version was available in June 2005 and the final version was published in late October 2005 as ISO/IEC 27001:2005. Certifications prior to publication of ISO/IEC 27001 will still against BS7799-2:2002 and, therefore, organizations will need to adapt their current projects or existing management systems accordingly. The ISMS converter provides more information on the changes, together with a detailed side-by-side comparison of the old and new of ISO/IEC 17799 (27002).

Read this before you start your 27001 project!	Use this unique ISMS Converter to get on top of ISO 17799(27002):2005	Official distributor	Free 'Try before you Buy' Option
		Buy: ISO/IEC 27002:2005 ISO/IEC 27001: 2005

 

IT Governance: A Managers Guide to Data Security and ISO 27001/ISO 27002 

"For companies that have identified IT Governance as a key business risk, this book provides a comprehensive guide as to actions that should be taken."  NIGEL TURNBULL, Chairman, Lasmo Plc, author of the Turnbull Report: "Internal Control: Guidance for Directors on the Combined Code"

"The Calder and Watkins book has four benefits:
* it neatly parallels the structure of the standard;
* each vulerability comes with detailed advice on how to implement a control to cover it;
* there is useful detail on vulnerabilities uncovered because of the use of the control; and, last but not least,
* there are the trade-offs that arise between covering a vulnerability and leaving it uncovered.

These are very good reasons for studying the book and they're why we chose it as the basis for the Open University's new Information Security Management Course." Dr Jon G Hall, Lecturer in Information Security, Open University, UK

 

This book "should form part of the introductory reading of every computer professional with responsibility for security in a medium to large user as well as becoming a standard text on any business-oriented ICT training programme." IMIS JOURNAL, April 2003

 

Links to other standards, statutes and regulatory frameworks

BS7799-2:2005 (ISO 27001:2005) is designed to harmonise with ISO 9001:2000 and ISO 14001:1996 so that management systems can be effectively integrated.  It implements the Plan-Do-Check-Act (PDCA) model and reflects the principles of the 2002 OECD guidance on the security of information systems and networks. 

ISO 17799 implicitly recognises that information security and any Information Management Security System (ISMS) should form an integrated part of any Internal Control system created as part of Corporate Governance procedures and that the standard fits in with the approach adopted by the Turnbull Committee.

 

BS7799-2 (ISO 27001) is explicitly identified by the Information Commissioner, in the legal guidance on compliance with the Seventh Principle of the Data Protection Act 1998 ("DPA"), as the source of appropriate advice on how to comply with the requirement that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."  DPA created a section 55 criminal offence which could arise, for instance, from a failure to adequately protect personal data such that is released into the public domain.  ISO 27001 is a key step in ensuring that the organisation is genuinely in compliance with DPA.

 

ISO 27001 can also create a framework that helps UK sales and marketing departments comply with the Telecommunications Regulations 1998 (Data Protection and Privacy).  Apart from the Data Protection Act 1998, all UK organisations must compy with the Computer Misuse Act 1990, the Human Rights Act 1998, the Regulation of Investigatory Powers Act 2000 and the Copyright, Designs and Patent Act 1988.  UK public sector organisations must, additionally, compy with the Freedom of Information Act 2000.  ISO 27001 is the essential step toward effecting and demonstrating compliance with all this legislation.

 

There are also clear relationships between BS7799 and the recommendations of the OECD Information Security Guidelines of 2002 and the Basel Committee's paper "Sound Practices for the Management and Supervision of Operational Risk."

 

In the United States, the regulatory and compliance requirements imposed by, for instance, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Availability Act (HIPAA), the Californian Senate Bill 1386 and the Online Personal Protection Act as well, of course, as the Sarbanes-Oxley Act (SOX) and the Federal Information Security Management Act (FISMA), are all best met through the development of an information security management system that is integrated, comprehensive and incorporates widely recognized best practice. This is precisely what ISO27002 provides.

 

IT Governance specialises in helping organisations, in all sectors and all over the world, design and implement best practice Information Security Management Systems that deliver identifiable returns on investment and which are capable of certification to ISO 27001.  We recognise that, in many organisations, expenditure on informaton security is already substantial, that it often impedes business effectiveness, and that its value for money is not clear.  We can usually help organisations reduce their total information security expenditure, while increasing its effectiveness. Please e-mail servicecentre@itgovernance.co.uk to find out how we can help improve the Return on Investment in your information security posture.