What is it?
BS 7799 has become the most widely adopted information security
management standard in the world. Now known internationally as ISO
17799 and ISO/IEC 27001, the standards cover people, processes and
IT systems, and help identify, quantify and manage threats to
information.
The number of companies implementing ISO 27001 is increasing
rapidly, and employers are seeking qualified staff, or paying for
their own to be trained. There is also a demand for qualified
people from security companies, and the organisations that audit
and certify ISO 27001 compliance.
But working with these standards involves a management, rather
than hands-on technical approach, and lacks the glamour of
penetration testing. Much of the work consists of ticking boxes and
making sure documents have been completed and filed correctly.
Where did it originate?
BS 7799 Part 1, written by the Department of Trade &
Industry, was first published by the British Standards Institution
in 1995. BS 7799 Part 2 followed in 1999.
Part 1 became ISO 17799, "Code of practice for information
security management". Part 2 was adopted as ISO/IEC 27001 "Security
techniques - information security management systems -
requirements" in November 2005. Organisations involved in the
development of the standards include the International
Electrotechnical Commission (IEC), and the Organisation for
Economic Co-operation and Development.
What's it for?
ISO/IEC 27001 covers all the steps in implementing an
information security management system, from defining an
information security policy, performing a risk assessment and
selecting controls to be applied, to preparing a statement of
applicability.
The controls are selected from ISO 17799, which has 10 sections
covering issues such as system access control, personnel security,
and business continuity.
The people who certify organisations carry out a two-stage
audit, beginning with a review of key documentation, and then
testing the effectiveness of the controls.
What makes it special?
From the organisation's point of view, ISO/IEC 27001
certification is increasingly required for government and corporate
security contract work. The people who make their money training
and certifying claim it can be a "deciding differentiator" in
contract tenders.
How difficult is it to master?
You will need several years of general IT experience. A range of
courses is on offer, generally teaching fundamentals of ISO/IEC
27001 in a three to five-day course.
Where is it used?
By the end of 2005, about 2,000 organisations were certified
either for BS 7799-2 or ISO 27001.
What's coming up?
BS ISO/IEC 27001 is the first of the BS ISO/IEC 27000 series of
security standards. BS ISO 17799 may be renamed ISO/IEC 27002.
Training
First you need to get hold of the specifications, which aren't
cheap (£90 for 34 pages in the case of ISO/IEC 27001). Many
independent trainers teach ISO/IEC 27001, or you can take a BCS
ISEB information security management qualification. Internationally
recognised auditors' qualifications are offered by IRCA.
http://www.bsi-global.com
http://www.irca.org/certification/certification82.html
http://www.standardsdirect.org/iso17799.htm
Rates of pay
Salaries for information security analysts start at £35,000, IT
security managers can expect £40,000-plus, and security consultants
and sales specialists can earn £60,000-plus.