In an unashamedly non-technical article, Dick Price of 7Safe Information Security, looks at an issue that is of vital importance to staff in any organisation.

Some readers may say 'hurrah', others may turn rapidly onwards, but I hope that readers will at least look at the headings and summary of this article. It is designed to explain why the management standard BS7799 is so important at all levels within any organisation.

What is BS 7799 and how does ISO 17799 fit in?

The original BS 7799 Standard was split into two parts:

Part 1 was a code of practice for information security management and included a number of potential controls that, if in place and working, would provide formally managed information security. Part 1 was a 'supermarket' of controls, some of which would be relevant, others not, depending on the business.

Part 2 is a specification for putting in place an information security management system (ISMS). In the same way that you can manage a firewall, so you can manage your overall information security.

In 2000, Part 1 became an ISO standard. The content remained basically a code of practice but, of course, it is not possible to be certified to a code of practice.

Part 2 remained a British Standard and organisations can be certified to it. The certification proves to any interested parties that the organisation is managing its information security.

Why is it important to me?

We are all involved with information to a greater or lesser extent. We are all involved with security of information.

For example, we all have to comply with Data Protection requirements, we all depend on data backups, either done by ourselves or by others, and we all desperately try to avoid viruses, spyware and so on.

Many of us are involved in complex measures to protect systems, and these are supported by detective controls to identify when things go wrong.

In many organisations, however, these types of control are done on a fragmented basis. The danger of fragmented control is that there could be serious gaps in coverage, which no one will have the responsibility of identifying or considering.

Additionally, the pace of change has increased so much in recent times that other security implications keep arising. During the last year or so there has been an increasing awareness of the dangers of spyware.

Mobile phones now contain lifestyle information (emails, videos, messages, photos, phone numbers and names). Identity theft has hit the headlines. All of these issues require an assiduous approach to their management, and who better to manage than management (in most cases)?

Finally, we are seeing an increasing demand from customers that suppliers show that they are looking after their information security before they will do business with them - a requirement in tender agreements for major and not-so-major contracts. Without certification, work flow will diminish, or in some cases, cease.

Some myths dispelled

  1. You cannot be accredited to BS 7799 or ISO 17799. The only people who are accredited are the auditors who do the certifying.
  2. You cannot be certified to ISO 17799. You can only be certified to BS 7799-2:2002 (part 2).
  3. Gap analysis has two completely separate meanings - it is important to know which one is being talked about. Gap analysis in relation to ISO 17799 means a comparison of the actual controls in place in an organisation with what would be regarded as best practice by the reviewer. This may well be a subjective view but has its merits in appropriate circumstances. BS 7799-2:2002 gap analysis relates to a review of an organisation's management system that can show that it has procedures in place to identify necessary controls based on risk assessment and is doing something about them. In other words that it is managing information security.
  4. You do not have to fit into the standard - the standard fits around your organisation and its requirements.

What does the standard contain?

The standard helps put in place a way of managing information security.

The British Standards Institution summarised the rules as follows:

  1. Define the direction, aims and objectives of information security. Put them in a policy that has the commitment of senior management. Supplement the high level policy for all staff with detailed policies for specific areas.
  2. Assess your security risks. Spending on controls should be balanced against the chances of the threats, the value of the information and other assets at risk, and the business consequences of a threat succeeding. Review these risks periodically to ensure that they reflect changing circumstances - and, at the same time, identify any new risks.
  3. Select and implement controls so that the identified security risks are reduced to an acceptable level. These will vary from organisation to organisation. Start by looking at the more common controls - copying software, organisational records and compliance with data protection legislation are, for example, all legal requirements. Also, most organisations need:
  • a widely distributed, but concise, information security policy document; 
  • specifically allocated information security responsibilities;
  • a programme of information security education and training;
  • a system for reporting and resolving security incidents, and 
  • a business continuity planning process.

Of course adopting BS 7799 cannot make your organisation immune from security breaches. But it will make them much less likely and reduce the consequential cost and disruption if they do occur.


Most organisations do something about information security, but in many cases it is fragmented, which can lead to significant holes.

By using a management system, with the backing and involvement of senior management, the issues of relevance to the organisation will be being identified, risk-assessed, and addressed.

The obtaining of certification to BS 7799-2:2002 demonstrates to staff, customers, trading partners and any stakeholders, (e.g. patients in hospitals, students in educational establishments) that you take information security seriously.

Implications of this will be different for the various stakeholders - patient information accuracy and confidentiality, customer record availability and accuracy, staff and personnel details' confidentiality and accuracy, banking records' confidentiality, accuracy and availability  are typical examples of impacts on everyday activities.