BS 7799

The standard BS 7799-1 (BS = British Standard ) defines a " code of practice" for information security. The variant BS 7799-1:1999 has been adopted by ISO as ISO 17799 / IEC and later renamed to ISO / IEC 27002. According to this standard, an internal audit of the company is possible, but not externally valid certification.

The BS 7799-2 ( full name: BS 7799-2:2002 (Information security management systems - Specification with guidance for use) ) provides the specification for an information security management system (ISMS ) dar. This management system fits into a number of other international management systems (ISO 9001, ISO 14001, ISO 20000) a. The standard BS 7799-2:2002 has been standardized in 2005 as ISO / IEC 27001 international.

Objective

The BS 7799 was published with the aim to provide managers and employees of a company, a model is available that allows the implementation and operation of an effective ISMS. The introduction of an ISMS represents a major strategic decision that is influenced by the corporate strategy and business objectives of the company. The BS 7799 is used to probe the organization. This also includes the use by accredited certification company.

Genesis

The Department of Commercial Computer Security Center ( CCSC ) of the Department of Trade and Industry (DTI ) has developed as a pioneer in the field of IT security management, the so-called Green Books. They contained the one the British draft of evaluation criteria for IT security and an associated evaluation and certification scheme. At the same time, a " code of good security practice" developed which result in the books User 's Code of Practice ( V11 ) and Vendor 's Code of Practice ( V31 ) brought forth. English Green Books were from February to November 1989 as preliminary (English: draft ) and has not progressed beyond this status. 102:154 f and 160

1992 called the British DTI Commission. Together with British companies and organizations should evaluate the accepted best practices in the field of information security. Among the companies included Royal Dutch Shell, British Telecom, BOC, Marks & Spencer, Midland Bank, Nationwide Building Society and Unilever. 103

The results were published in 1993 as "Code of Practice ". This was adapted in 1995 by the British Standards Institute (BSI ) and published as BS 7799:1995. However, this version of the standard was not widely distributed, primarily due to its lack of flexibility. In 1998, a fundamental revision of the standard. UK- specific references were removed and added technological developments such as e -commerce. The standard was divided into the BS 7799-1:1999 (Part 1) and in BS 7799-2:1998 ( Part 2). In 2000, the International Organization for Standardization (ISO) adapted the Part 1 of the ISO / IEC 17799:2000 standard. 2005 standard in ISO / IEC 27002:2005 was renamed.

With the BS 7799-2:1998 existed a specification against which an examination and certification could take place. Two years later there was a further significant changes to part 2, including the introduction of the Plan-Do- Check-Act approach ( PDCA ), from which version of BS 7799-2:2002 resulted. The development of BS 7799-2 is the international standard ISO / IEC 27001, which is an internationally recognized certification basis since 2005.

Certification

A certification of information security is only possible after the BS 7799-2:2002. Certification to ISO / IEC 17799 is generally not part of a qualified certification possible. Certification is then qualified if it is run by a company which is ( DKD ) under the supervision of an accreditation body such as the United Kingdom Accreditation Service ( UKAS ) or the German Accreditation Body. In the case of BS 7799 certification, a certificate is valid for three years. An interim audit ( surveillance audit) is performed every six months. A complete re-certification after three years.

Structure

  • 0.1. generally
  • 0.2. process approach
  • 0.3. Compatibility with other management systems
  • 4.1. General requirements
  • 4.2. Introduction and management of the ISMS
  • 4.3. documentation requirements
  • 5.1. Obligations of the line
  • 6.1 General
  • 6.2. assessment requirements
  • 6.3. assessment results
  • 6.4. Internal ISMS audits
  • 7.1. Continuous Improvement
  • 7.2. Corrective measures
  • 7.3. Preventive measures

Management System

Chapters 4 to Chapter 7 contain the organizational framework for the introduction and operation of the Information Security Management System. These are mainly:

  • Internal Audit
  • Management review
  • Document control
  • Risk Management

Appendix A

The Annex A of BS 7799 provides a list of controls available, which are divided into both technical and organizational measures. This list of the controls contained in ISO / IEC 17799 to a greater level of detail. Chapters 3 to 12 of ISO / IEC 17799-2000 correspond to the chapter A.3. to A.12 of BS 7799-2:2002.

150461
de