BS7799

The (I)nformation (S)ecurity (M)anagement (S)ystem (ISMS) is nothing but a proper and systematic approach directed towards management of sensitive information so as to ensure the security of the information. ISMS attempts to target three core areas of information security which are Integrity of information, confidentiality of information, and availability of information all the while involving the employees, processes in the organization, policies being used and finally information technology.

BS7799 in its Part II provides guidelines and control framework with documentation required for implementation and establishment of ISMS in an organizations. The BS7799 Part I provides for as many as 127 controls which can be used and implemented in an organization through proper study of requirements and needs of a specific business. The organization which intends to establish ISMS had to identify its needs and then choose the relevant controls from the big list of controls provided in the BS7799 Part I after studying their applicability in the context of organizational needs and suitability in the way it does business.

The use and implementation of controls should be feasible with due respect to the security angle BS7799 Part II lays down extensive guidelines which need to be undertaken for establishment of ISMS in an organization. The first step is to define the policy on Information Security. Next step aims at defining the scope of operation of the ISMS. In the third step, al lot of work has to be done regarding assessment of risks, selection of appropriate security controls to be implemented and then preparation of a statement of the controls which needs to be implemented. The fourth step involves actual implementation the controls identified in step three and after successful implementation have the BS7799 audit conducted by an independent auditor and then lastly register and receive BS7799 certifications. Now you have working ISMS in place.