IT security specialists are being urged by the BCS to take up the
newly revised BS 7799 standard. They say it will help them explain
to fellow IT and business managers both the threats and how
effective countermeasures can be put in place economically, writes
John Kavanagh.
"The revised BS7799 Part 2 Code of Practice for Information
Security Management Systems gives guidance on how to create an
information security management system and identifies critical
success factors that an organisation must achieve if it is to
successfully implement information security," says Willie List,
chairman of the BCS Security Expert Panel.
"In particular, it has introduced a plan-do-check-act model for
creating and maintaining an effective information security
management system. This will ensure that such systems are
harmonised with other management systems in an organisation."
List gives examples of what the plan-do-check-act tasks
include:
- Plan: define the scope of the information security management
system, identify and assess the business risks
- Do: implement agreed risk treatment activities and appropriate
controls
- Check: monitor the performance of controls, review risk levels
in the light of changing circumstances, perform internal
information security management system audits
- Act: implement improvements in the information security
management system process, implement modifications to the controls
as necessary to meet changing circmstances.
This last point underlines a key aim of the revision of the
standard: to highlight the need to continually improve the process
of security management and continually assess security procedures
in the light of changing business requirements, technology threats
and new circumstances.
The BCS says the revision has greatly clarified other parts of the
standard. It has also cleared up some of the confusion surrounding
its relationship to the international standard in this field and
the newly revised guidelines from the Organisation for Economic
Co-operation and Development.
"Commerce and society depend on automated processing, and part of
the responsibility of IT professionals is to ensure adequate
defence against
ill-intentioned people, hackers and fraudsters, as well as the
hazards of hardware and software failure," List says. "The concept
of an information security management system as set out in the
revised standard will help all professionals achieve this
objective.
"We commend this standard to all who seek to establish effective
information security."