Contents

BS7799 and ISMS


The original BS7799 was issued as a British Standard which sought to standardize the best practices in 10 core area of information security. The standard provided for standardizing the controls to be used for management of information security. The standard is a set of guidelines and framework of controls which an organizations can use to benchmark their own practices and look forward to the establishment of their own (I)nformation (S)ecurity (M)anagement (S)ystem (ISMS). They can conduct an audit of their ISMS on their own or ask the BSI to conduct such an audit with the ultimate aim of improving IS implementations by ensuring compliance to the standard and ultimately a third party independent audit leading to BS7799 certification.

images/bs77992.gifThe BS7799 consists of two parts. Part I consist of the basic framework of guidelines governing the establishment of information security in any organization. The BS7799 in its part I provides as many as 127 security controls with guidelines of how and where to implement them. Not all are applicable to all organizations. Efforts should be made to implement as many of them which are needed by your organization.

Part II of the BS7799 establishes and provides for the specification for implementing ISMS in an organization. The standard provides guidelines with specifications and documentations in order to help you implement the ISMS in your organization. Whether you use Part I for improving security or Part II for establishing ISMS, you are bound to be benefitted in the long run just like the thousands of businesses big or small the world over who have chosen to implement BS7799  into their organizational operations.  An organization must look at the security of their information assets not as a burden which is retrofitted on the organization but an essential tool of gaining the stakeholders and customers confidence that the organization cares for the security of sensitive personal data of the customers and the other stakeholders and would take all necessary measures to protect the information.