BSI Releases Update : BS7799-2:2002

insecurity

http://www.bsiamericas.com/About ... nfo+Security.xalter\r\n\r\n[B]BSI Releases Update to Information Security Standard [/B]\r\n\r\nThe development of BS 7799-2:2002, the specification for Information Security Management Systems (ISMS), is now complete and the revision is available from BSI. This new edition, like the previous one, is a risk-based approach for assessing, evaluating, treating, and managing the risks organizations face today. The standard not only covers IT issues, but also takes a holistic approach to information security and includes personnel, physical, environmental, business continuity, and compliance issues. Since its inception, BS 7799-2 has been adopted worldwide by organizations in countries such as the USA, United Kingdom, China, Japan, United Arab Emirates, Brazil, India, Egypt, and Germany. \r\n\r\nBS 7799-2 is related to the international standard ISO 17799, Information technology - Code of practice for information security management. BS 7799-2\'s companion document BS 7799-1 was adopted as an international standard in December 2000 and published as ISO/IEC 17799. In terms of its consistency with ISO/IEC 17799:2000, BS 7799-2:2002 introduces no new controls. All 127 controls remain consistent with ISO/IEC 17799:2000. \r\n\r\nThe growing value of ISO 17799 and BS 7799-2 to organizations is reflected in Michael Rasmussen\'s statement - \"The defining standard for developing an information protection program around is ISO 17799, formerly British Standard 7799. ISO 17799 provides a framework to build an information protection program around.\" Michael is the Director of Research - Information Security at the Giga Information Group. The quote is from the Giga Information Group Special ForSITE Report 2002 entitled \"Information Protection: Assuring Stakeholder Value in a Digital Age.\" \r\n\r\nThe new BS 7799-2:2002 standard has improved definition and clarification of the links between the risk assessment process, the selection of controls, and the contents of the Statement of Applicability. It also includes more detailed requirements for management responsibilities and review and ISMS improvement. \r\n\r\n\"One of the most critical and often forgotten aspects of any effective information security program is the management system surrounding the controls, policies, and procedures. The latest release of BS 7799-2 clarifies and further defines the elements of the management system and management\'s responsibilities. This is a welcome addition to anyone establishing an Information Security Management System,\" says Marne Gordon, Director of Regulatory Affairs at TruSecure Corporation. \r\n\r\nOther new additions include: \r\n\r\nHarmonization with other management systems standards such as ISO 9000 (Quality) and ISO 14000 (Environmental) to provide consistent and integrated implementation and operation of management systems \r\nThe need for continual improvement processes (Plan, Do, Check, Act) to ensure effective information security management is established and maintained \r\nCorporate governance \r\nInformation security assurance \r\nImplementation of the revised OECD guidelines governing the security of information systems and networks \r\nWith the introduction of the Plan-Do-Check-Act process model as part of a management system approach, businesses can now develop, implement, and improve the effectiveness of their information security management system within the context of their overall business risks: \r\n\r\nPlan - business risk analysis \r\nDo - internal controls to manage the applicable risks \r\nCheck - a management review to verify effectiveness \r\nAct - action as necessary. \r\nIn regards to the Organization for Economic Co-operation and Development (OECD) guidelines, at a recent \"7799 Goes Global\" conference in the UK, Department of Trade and Industry e-commerce Minister Stephen Timms took the opportunity to praise the updated British standard. He stressed the value of having a tool by which all organizations - including the DTI itself, which uses the Standard - can manage the security of their information assets as a core business activity. \"This Standard will bring information security into the mainstream of good business practice and is a practical way to demonstrate commitment, at the organization level, to the OECD guidelines.\" \r\n\r\nFinally, with all of the Information Security standards out there today, which one should an organization choose? \"To me, this is not a [this standard versus another standard] decision,\" says Craig Heier, Information Security Program Manager for BSI Americas. \"BS 7799-2 is a process approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organization\'s ISMS. It provides a disciplined and an umbrella framework under which other standards, such as ISO 13335 - Guidelines for the management of IT Security and ISO 15408 - Common Criteria, can be effectively managed.\" \r\n\r\nBackground Information \r\n\r\nBS 7799-2:2002 \"Information security management systems - specification with guidance for use\" can be ordered from BSI Americas at \r\n\r\nhttp://www.ceem.com/infosecurity_standards.asp. Alternatively, please contact: BSI Americas at 12110 Sunset Hills Road, Suite 140, Reston, VA 20190-3231, Phone (800) 745-5565, Fax (703) 250-5313, email: inquiry@bsiamericas.com. \r\nFor more information on how information security management registration can help your organization, please visit our information security page athttp://www.bsiamericas.com/InformationSecurity/Overview/index.xalter and http://www.ceem.com/infosecurity.asp. \r\n\r\nAn executive summary of the changes in the new revision and the OECD principles is here. \r\nOECD Guidelines for the Security of Information Systems and Networks can be found here. \r\nThe DTI / CBI news release is here. \r\nMore news releases on info-security management are here. \r\nGeneral information on the BSI group is here. \r\nInformation on BSI Americas can be found here. \r\nInformation on Information Security products and services offered by BSI CEEM can be found here. \r\nBS 7799-2:2002 Table of Contents \r\n\r\n0 Introduction\r\n\r\n1 Scope\r\n\r\n2 Normative references\r\n\r\n3 Terms and definitions\r\n\r\n4 Information security management system\r\n\r\n5 Management responsibility\r\n\r\n6 Management review of the ISMS\r\n\r\n7 ISMS improvement \r\n\r\n\r\nAnnex A (normative) Control objectives and controls \r\n\r\nA.1 Introduction \r\n\r\nA.2 Code of practice guidance \r\n\r\nA.3 Security policy \r\n\r\nA.4 Organizational security \r\n\r\nA.5 Asset classification and control \r\n\r\nA.6 Personnel security \r\n\r\nA.7 Physical and environmental security \r\n\r\nA.8 Communications and operations management \r\n\r\nA.9 Access control \r\n\r\nA.10 System development and maintenance \r\n\r\nA.11 Business continuity management \r\n\r\nA.12 Compliance \r\n\r\nAnnex B (informative) Guidance on use of the standard \r\n\r\nAnnex C (informative) Correspondence between BS EN ISO 9001:2000, BS EN ISO 14001:1996 and BS 7799-2:2002 \r\n\r\nAnnex D (informative) Changes to internal numbering \r\n\r\nBibliography\r\n\r\nFigure 1 - PDCA model applied to ISMS processes \r\n\r\nTable B.1 - OECD principles and the PDCA model \r\n\r\nTable C.1 - Correspondence between BS EN ISO 9001:2000, BS EN ISO 14001:1996 and BS 7799-2:2002 \r\n\r\nTable D.1 - Relationship between internal numbering in different editions of BS 7799-2 30 \r\n\r\n\r\n