Article

For many of us now, when asked what best practice in information security is, the obvious answer has been British Standard (BS) 7799. In fact this year marks the tenth anniversary of BS7799 and several changes to the standard are set to take place some time within the next two months. This month we take a look at what these changes are and explore their significance to users of BS7799, past and present.

Lets begin with a review of what BS7799 is. In its current incarnation BS7799 is broken into two parts, the first is intended as a set of "best practices" for information security. Part 1 of the standard is also divided up into ten sections, covering:

1. Security Policy
2. Organisational Security
3. Asset Classification and Control
4. Personnel Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Systems Development and Maintenance
9. Business Continuity Management
10. Compliance

Part 2 of the standard describes an information security management system and was developed to provide a mechanism to certify any given organisation as BS 7799 compliant. Part 2 was required because the best practices listed in Part 1 may or may not be applicable to all organisations. The information management system detailed in Part 2 of the document describes the process an organisation would follow to determine which controls are indeed necessary, and how these controls are to be implemented and monitored.

To date 1,300 organisations have been certified against BS7799 Part 2.

The reasons that BS 7799 requires updating are numerous and are clear: a lot has changed in information systems in the past ten years. In addition to these changes in the underlying technologies, the political and legislative environments in which BS7799 operate have also changed. In particular, new legislations like the Freedom of Information Act, Basel II, Sarbanes-Oxley have a big impact on the security requirements for a best-practice information system.

These pieces of legislation are many and varied, especially across geographic boundaries, and internationalisation of the standard has been a definite focus of the current revision. This revision will in fact see BS7799 retired in favour of an ISO equivalent standard ISO 17799. As many already know there has been an ISO version of Part 1 of BS7799 since the year 2000, but until now, no Part 2 equivalent existed. Following on the\ heels of the upcoming revision will be the release of ISO 27001, which is an internationalised equivalent of BS7799 Part 2. ISO 27001 is expected for release in the fourth quarter of 2005 or the first quarter of 2006.

Upon the release of ISO 27001 both parts of BS 7799 will be withdrawn, and local organisations will be asked to refer to the ISO documents in place of the British documents. Organisations seeking certification will be certified against the new standard, ISO 27001, and organisations already certified against BS 7799 Part 2 will be asked to recertify against ISO 27001 upon the expiration of their current certification.

An interesting side note to the main topic of this article relates to the 27000 range of ISO standards. ISO 27001 will be the first in a range of standards to be released by ISO in the 27000 range. It is intended that this 27000 range of standards will be viewed in much the same way that the 9000 range (i.e. the group of standards relating to quality) are currently viewed. In this 27000 range of standards will eventually be included standards relating to risk management, metrics and measurements and service delivery. Ultimately ISO 17799 will in fact be renamed to have a place in the 27000 range (most likely 27002).

So what will ISO17799:2005 (i.e. BS7799-1:2005) contain? In all seventeen new controls and one entirely new section have been added to the standard and nine old controls have been removed or merged together. These changes take into account the dual requirements of proving due diligence, and obtaining compliance. Changes are also focused on delivering customer assurance and on making the standard easier to read and use. The new standard emphasises:

• External services and the complex relationships that now often exist between networked organisations (Safecoms clients will be familiar with the use of the term "the extended enterprise" to cover this theme)
• HR - especially at the termination of employment, but also at the commencement of employ and where disciplinary actions are required
• Mobile systems
• Threats and vulnerabilities
• Patch management (there is an entirely new section to deal with patch and vulnerability management)
• Contracts and SLA's
• Service delivery (through references to BS 1500 / ISO 20000)

In all likelihood, anyone who is certified to BS 7799 Part 2 and who is being properly diligent in relation to information security, these changes will already have been considered and implemented as part of an ongoing risk management strategy. For other organisations the changes should ensure that information security efforts are properly focused on current key "pain points", like patch and vulnerability management.

The new standard should be released in June 2005 (however depending on final sign off and publishing progress within the ISO this may slip). We'll be sure to publish more information once the standard is released.