Implementing BS7799 / ISO17799 [Archive]

View Full Version : Implementing BS7799 / ISO17799

BruciesBabe

11-10-2005, 14:01

Hia guys and gals,

Has anyone out there got any experience with implementing the above standard?

I have been tasked with it for the company I work for and am a tad overwhelmed.

Any advice, hints or tips would be greatly appreciated.

Thanks.

wendygs

11-10-2005, 23:53

BS7799 is the most widely recognised security standard worldwide and it will entail a full audit of all aspects of your Company's security procedures with particular regard to its data security as applied to the company and its stakeholders.

These would include sales, clients, suppliers, accounts, corporate information, personnel, communications systems, etc and includes your Company's:

Security Policy
Organization
Asset Classification
Personnel
Physical Security
Communications
Access Control
Development
Continuity
Compliance

The raison d'etre of BS7799 is focused around compliance with particular regard to data security, data storage, access and processing.

To ascertain what is involved you need a copy of the BS7790 manual outlining all of the different factors/components to consider, how your company can expect to be affected.

Implementing BS7799 is a very substantial piece of work and if you have had any experience of BSI systems such as BS5750 which is about management systems and procedures you will appreciate the volume of work involved. It is not an overnight process; it will be very expensive to implement and will entail a major culture change within your organisation in the way they process, store and access data.

The Information Commission may expect larger organisations to implement it although because of the implementation costs involved I think it is unlikely they would expect a smaller firm to take such measures.

For all of these reasons it is worth asking your management to provide more information for their decision to adopt this system.

Useful links to start you and there's loads more on-line:
http://www.infogov.co.uk/index.php?option=com_content&task=view&id=83&Itemid=61
http://www.iso17799-made-easy.com
http://www.bsi-global.com/index.xalter
http://www.iwar.org.uk/comsec/resources/bs7799/works.htm

BruciesBabe

12-10-2005, 09:09

Thanks Wendgygs for your response.

I have purchased the standard and am fully aware of the amount of work that is to be involved in obtaining this standard. Unfortunately, I am the only one who appreciates this, as the management team are very blasee about it and the lack of commitment and co-operation from them is staggering.

We have to implement this standard as it has been mandated by our main source of customers.

I am fighting against the view that 'apart from the tick in the box, we see no benefit from obtaining this standard' and 'we should do the absolute minimum that is required to achieve it'. Both of these comments came from one of the directors!

I am just completely stuck with how to start to be honest and the more I look into it, research it and seek to understand it, the more daunted I get!

eeeek!

Brookz

30-01-2008, 13:54

Those links are way out of date, and the standards have changed a lot too:
ISO 17799 is now called ISO 27002.
BS 7799-2 is now called ISO 27001.

Both have become major (international, not just UK) frameworks, for companies of all shapes and sizes.

There are more recent sites that explain all this:
ISO 27001 Portal (http://27001.denialinfo.com) - background info
ISO 27001 and 27002 Newsletter (http://www.molemag.net) - Up to date news
ISO 27002 User Group (http://www.17799.com) - Dedicated Forum

These will put you in the picture regarding the current situation.

*binty*

30-01-2008, 13:59