ISO/IEC 27001 (BS7799)

Introduction

The standard is published in two parts;

ISO/IEC 27001:2005 (formerly BS 7799-2:2002) Specification for Information Security Management

ISO/IEC 27002:2005 (previously named ISO/IEC 17799:2005) Code of practice for Information Security Management

Part 1:
Is an introduction to the practice of Information Security and describes the key controls necessary to ensure an effective security implementation.

Part 2:
Specifies the requirements for establishing, implementing and documenting an information security management systems (ISMS) and forms the basis for an assessment of the ISMS.

The standard requires a risk assessment and the identification of the most appropriate control objectives. A set of detailed controls are then described which can be used to achieve the control objectives as applicable. These controls are;

Security policy

Security organisation

Assets classification and control

Personnel security

Physical and environmental security

Communications and operations management

System Access control

System development and maintenance

Business continuity management

Compliance 

Security Policy

This introductory section outlines the need for a corporate information security policy which is documented and available to all staff. It should cover;

Security Organisation

This section explains how to set up the management structure for maintaining information security. The main subjects covered are;

  • The setting up of a management forum
  • The roles of the forum
  • Allocation of security responsibilities
  • Establishment of an authorisation process for new hardware and software purchases.

This section also covers access to corporate data by third parties, and the steps needed to prevent and detect unauthorised access of this kind.

Assets classification and control

This section concerns the protection of company assets. It deals with the establishment of an asset register for hardware, software and information, and offers advice on classifying and labeling assets.

Personnel Security

This section covers the risks to data and systems by deliberate and accidental human action such as user error, fraud and theft.
Among the subjects covered are:

Physical and environmental security

The main items covered in this section are;

  • The need to establish secure areas with physical entry controls
  • The need to physically protect hardware equipment to prevent theft
  • The need to protect network cabling from tampering
  • Security of equipment taken off site or sent for disposal

Communications and Operations Management

This is a large section and deals with security for computer systems. It explains the main areas of risk of which you need to be aware, but stops short of explaining the technical measures necessary.  The following issues are covered;

  • Viruses
  • Malicious software
  • Change control
  • Backup
  • The keeping of accurate access logs
  • Security of system documentation
  • Disposal of media
  • Protection and authentication of data during transfers and in transit
  • Security of Email

System Access Control

This section explains access control and how it can be applied to different types of system.
Items covered include;

  • issue and usage of passwords
  • duress alarms
  • automatic terminal time outs
  • physical access to terminals
  • software metering/monitoring

System Development and Maintenance

This section deals with the acquisition of new systems and modification to existing ones. Areas covered include:-

  • input data validation
  • data encryption
  • security of data files
  • protection of test data.

The section also discussed procedures for departments where software development and maintenance is performed, including configuration management, change control and protection of data.

Business Continuity Management

This is an overview of the case for a comprehensive business continuity plan which should be designed, implemented, tested and maintained.

Compliance

There are many areas in which an organisation needs to ensure that it compiles with its legal and contractual obligations. This section and explains the need to comply with legal & regulatory requirements such as:-

  • The Data Protection Act
  • The Companies Act
  • Contractual commitments (such as software licenses)
  • FSA regulations

The organisation is given advice on how to ensure that it does comply and is able to demonstrate through audit and other procedures that it has done so.

Please call 0870 421 4023 for more information relating to ISO/IEC 27001 certification, or e-mail sales@whitehelm.com.

 

ISO/IEC 27001 (BS7799) Overview
WhiteHelm End to End Network Security

Copyright ©2004-2010 Whitehelm Network Security Ltd
Copyrights, Trademarks & Disclaimers Terms & Conditions