is the crown jewels of business. Your business partners
want to know if you have done enough to protect your
information assets. The BS 7799 Information Security
Management System outlines the best practices that one
should follow and is a benchmark for security certification
in business. by Avinash Kadam
a key ingredient that drives your business. All those
who said 'information' got it right. That's because
most businesses cannot function if this ingredient is
not available or is unreliable. Availability, integrity
and confidentiality of information are paramount concerns
today. How do you know that your organization is taking
good care of all the information it has so diligently
acquired, over the years?
The manufacturing records, sales records, financial
records, customer records are all kept on computers.
In today's networked world, these may be accessible
from anywhere, via the Internet. You can't be too sure
that all your digitized information is secure. Your
personal and confidential records will be with banks,
finance and insurance companies; your medical records
are with hospitals and laboratories; your credit card
details have to be tendered whenever you buy something
on the Internet. Is there any guarantee that all this
information is really kept confidential? Shouldn't there
be a way to tell if an organization can be entrusted
with confidential information and if it maintains Information
In fact there is. Heard of the BS 7799 Information Security
BS 7799 standard
Anyone who wants to ascertain the quality of a business
process will look for an ISO 9001:2000 certificate.
This gives an assurance that the organization has achieved
the minimum requirements for establishing a Quality
Management System (QMS). Similarly, the British Standards
Institute (BSI) has established a standard for Information
Security Management System (ISMS). The BS 7799 was first
issued in 1995 and was revised in 1999. Latest
revision i.e. BS 7799 -2 2002 is due on 5th Sept. 2002.
The BS 7799 standard comprises two parts:
1: Code of Practice for Information security management.
Part 2: Specifications of Information Security Management
Part 1 outlines the recommended best practices that
one should follow and Part 2 gives the specifications
against which an organization will be evaluated to determine
whether it deserves to be certified.
Assessing your Security Requirements
BS7799 depends heavily on risk assessment. You are expected
to carry out a thorough risk evaluation exercise. To
prepare for this exercise, you have to take a complete
inventory of all your information assets. These include
not only the usual suspects like hardware assetsservers
and networking devices, but also software assets like
programs and databases. Also consider paper assets and
infrastructure assets like power, light and air-conditioning.
A risk like 'Denial of Service' is usually attributed
to an external attack from the Internet, but it can
also be an internal attacksomeone can remove the
power fuse in the server room.
The next step is to classify all the information assets
according to their sensitivity and criticality, with
respect to business needs. A risk evaluation exercise
helps to identify the risk scenarios. The probability
and consequences of a particular risk scenario in terms
of business losses needs to be documented. If the losses
could be quantified, that's good. Otherwise, these could
be categorized into high, medium and low categories.
Security Domains and Control Objectives
After risk categorization and prioritization, the next
obvious step is risk mitigation. This is where we revisit
BS 7799 controls. These are given in BS 7799 Part 2:
Specification for Information Security Management System.
These are divided into 10 domains:
1. Security policy.
2. Security organization.
3. Asset classification and control.
4. Personnel Security.
5. Physical and environmental security.
6. Communication and operations management.
7. Access control.
8. System development and
9. Business continuity management.
These are further categorized into 36 control objectives,
which are to be achieved by fulfilling 127 specified
As an example of this hierarchy, let us look at the
domain of 'Communication and operations management.'
This domain has seven control objectives to be fulfilled.
One of these seven control objectives is 'Exchange of
information and software.' The objective is 'To prevent
loss, modification or misuse of information exchanged
between organizations.' The steps to achieve this objective
Step 1: Does the risk analysis point out that
there is a business risk in exchange of information?
Is this control objective applicable for protection
of your business?
Step 2: If the answer is no, prepare a statement
justifying the exclusion.
Step 3: If the answer is yes, look at each
of the seven control statements under this particular
of these control statements has the word 'shall', which
means compliance with the requirements is mandatory,
unless you have a valid justification.
For example, one control is:
"Electronic commerce security: Electronic commerce
security shall be protected against fraudulent activity,
contract dispute and disclosure or modification of information."
So if you have E-Commerce activity, you will have to
prove that you are protected against each of the stipulated
Step 4: Select the appropriate policy, procedure,
process or product that will fulfill the requirement
of each applicable control. You should be able to
prove that the control is effective in reducing the
risk, which you have identified.
You will realize that there's not much to help you decide
what is required to be done. The control statements
are extremely general in nature. They do not provide
any further recommendations, technical or otherwise.
On one hand, this makes the standard independent of
technology but on other hand, it introduces subjectivity
Advantages of BS 7799 Certification
Despite these shortcomings, BS 7799 presents the following
1. You will have a structured, risk based approach
to information security.
2. Your employees will have to take security seriously
as you will have framed adequate policies and penalties
for any breach of security.
3. Your clients will be assured about your security
4. Foreign companies that are paranoid about information
security, may feel comfortable dealing with you, if
they have not already made it mandatory for you to
get certified or audited by a security consultant.
5. Since availability is one of the critical components
of information security, you would have set up adequate
business continuity management plans.
6. You may do all of the above things without aiming
for a certification, but you may even get a marketing
advantage if you are certified.
7. And finally, you will definitely sleep better.
How to proceed
You can aspire for BS 7799 certification with the following
Step 1: Establish importance of information security
in the organization. In the current scenario, this
should not be difficult. However, it will help if
you identify the critical business processes, which
are dependent on information, and what is the business
risk if anycheck if the three pillars of information
security are compromised (i.e. confidentiality, integrity
Step 2: Set up a Security Organization. You will need
organizational involvement to define and implement
security measures. A steering committee for BS 7799
project, a security forum with representation of key
business and technology departments, appointment of
an Information Security Officer and defining security
responsibilities for protection of various assets
will have to be done.
Step 3: Define the Security Policy for the company.
This should be endorsed by top management and should
convey their concern and commitment.
Step 4: Define the scope of Information Security Management
System (ISMS). This could be business specific, location
specific or function specific.
Step 5: Undertake risk assessment. Start with business
risk assessment. This will help you in identifying
the risk areas for detailed risk evaluation. Identify
and prioritize all the risks.
Step 6: Identify the controls objectives and the control
Step 7: Select appropriate controls to fulfill the
control objectives. These controls will be in the
form of security policies, procedures and products.
Prepare guidelines on how to implement these controls.
Step 8: Implement and monitor the controls. You should
be able to prove adequacy of the controls in reducing
Step 9: Make a table of all the 127 controls and map
the controls implemented by you against relevant control
objectives. One control may address more than one
control objective. If there are some gaps, find out,
whether these are omissions or there are no requirements
of controls. Fill up all the gaps.
Step 10: Make statement of applicability, which justifies
the controls in place as well as those, which really
are not required. For all exclusions, you should have
a justification backed by risk assessment.
Step 11: Invite a certification body for pre-assessment.
Some of the accredited certification agencies are
DNV, BSI, STQC.
Step 12: Take appropriate measures to comply with
Step 13: Get the final assessment done.
Step 14: Acquire the coveted certificate, which is
valid for three years. An external audit will be done
once a year.
How to implement the standard
If you perform all the 14 steps mentioned above, you
will have implemented the standard. Alternatively, if
you are short of manpower or expertise, employ an external
agency to implement it for you. This will be especially
useful while performing a detailed and objective risk
analysis. A consultant will use a risk analysis questionnaire,
which has been enhanced by his experience. The period
taken for entire implementation depends on the size
of the organization. It could be between 3 to 9 months.
Difference between BS 7799 and ISO 17799
ISO has adapted the BS 7799 Part 1 and numbered it as
ISO 17799. As we discussed earlier, Part 1 covers the
Code of Practice and as such only provides guidelines.
ISO has not yet adapted the BS 7799 Part 2. So, there
are no specifications, which an implementer or an auditor
can refer to. An organization cannot be evaluated or
certified today as an ISO 17799 compliant organization,
but it can be certified as a BS 7799 compliant organization.
Why BS 7799 certification?
BS 7799 may not be a perfect security certification
but it provides excellent guidelines for information
security management. It presents a yardstick for measuring
a company's security practices. The risk-oriented approach
ensures that the organization does not become complacent
after getting the certificate. If the risk has not been
controlled, the ISMS may not be effective. So, apart
from a periodic audit by an external auditor, the management
could get regular feedback about the state of information
security in the organization through the security management
infrastructure created in the process of implementation
of BS 7799.
Where to get the Standard?
You can order the Standard from www.c-cure.org for £94.00.
In India, you may enquire with firstname.lastname@example.org.
You may get more information about BS 7799 at www.bsi-global.com.
Another site giving FAQs on BS 7799 is www.dnv.com.
You can also down load the 'DNV Interpretation guide
to BS 7799' from this site.
Kadam is Chief Executive - Assurance and Training at
Miel e-Security, Pvt. Ltd.. He can be reached at email@example.com