BS7799

The first step in the process of implementing information security is to select a standard applicable to you; in this case it is the BS7799-3:2005. The next stage involves choice of policies after determining their content and structure. It is imperative that we do some research and satisfy that the selected policies are complete and up-to-date in all respects. The policies also must be able to meet your requirements so as to make your organization BS7799 compliant.

At the outset we need to understand how to define and create policies. Either ready made policies can be purchased off the shelf or creating them in house if sufficient talent exist in the organization. Usually the management finds it very convenient to buy readymade polices and then modify them to suit their needs. Before such purchase is done, it is advisable to read every clause, word and sentences and then put them to use. The process of buying the pre-defined policies is the path of least resistance and usually preferred do the only reason that something does not go amiss when making policies on your own. The best process is to buy the ready made policies and then make the necessary changes as per your retirement to meet your business needs keeping in mind the ultimate aim of implementing the BS7799 in your organization. Ready made set of policies is available from the some of the  IS Policy Portal which are quite  comprehensive, and which fully meet the requirements as set out in the BS7799 along with  ISO17799 and other standards.

Just having a copy of the IS security policy in hand is simply not enough. You have to understand the contents in the context of your organizational needs and then make necessary changes before implementing them. This is very easy to speak about but very difficult to implement in real life situation. The main hurdle before the IS manager is how to go about implementing the IS security policies as implementing is the most critical part of any kind of implementing.