Apparently British firms don't know a good thing when they see it - or perhaps they just haven't seen it. Though BS7799 has been around since 1995, it isn't exactly a household name. Next week's DTI information breaches survey will reveal that just 6% of information security managers could name the standard.
Kevin Black, director of sales and marketing with Internet Security Systems (ISS), comments, "The main reason the standard doesn't yet have great visibility is that security is still largely seen as the preserve of security specialists and gurus." Even companies with a lot staked on e-commerce projects often pay alarmingly little attention to security issues, Black reports.
On the other hand, there's a high degree of awareness among security professionals, many of whom have greeted the standard as a useful tool for explaining security concepts, and hence the function of their various products and services.
Interest is not limited to the UK: MIS Corporate Defence Solutions, which has been certified under BS7799 itself and also helps other companies to prepare for certification, has received a lot of overseas enquiries, including from the US.
"The current version of the standard is non-UK specific," says MIS-CDS consultancy manager Julie Kenward. She expects it to become an ISO in the near future, although some other consultants are sceptical about whether this will happen.
The value of BS7799
What do its fans like about BS7799? Mostly, that it encourages a coherent approach to information security. Too often, the typical user organisation's approach to security has tended to be ad hoc - a firewall here, a smidgin of encryption there - with no overall strategy for managing risk.
Colin Robbins, product strategist with Nexor, thinks the industry is partly to blame. "As soon as a security fear is mentioned, technologists start talking about PKI or something, and before you know it, you may have spent half a million on technology when an insurance policy might have been more appropriate. The good thing about the standard is that it's pragmatic. It says: 'Let's identify risks and take appropriate measures'."
It's not that anything revolutionary is being attempted here - the contents of BS7799 have much in common with assorted security management guidelines, procedures and methodologies used by consultants for decades. But none of these approaches has achieved industry-wide acceptance. In BS7799, security experts hope companies will eventually recognise a universally applicable model and one endorsed by a bevy of blue-chip organisations along with the DTI and BSI.
Its admirers see BS7799 not just as a certification standard but as a guide for anyone wanting a sensible approach to security. Graham Welch, RSA Security vice-president of the UK, France and Benelux, says, "The standard is extremely good guidance; the articles associated with it are useful for raising awareness of where the risks lie." Kenward agrees, "Even if you don't want to go for the certification, it's worth complying with the standard because it represents best practice in looking after information."
Is it too general?
An earlier BSI effort, BS5750, the quality management standard which became ISO9000, was sometimes accused of bureaucracy. One critic claims that compliance adds a one man-year overhead to even the smallest project. "It guarantees that your quality systems are properly documented, but not that your products are of good quality," said another.
BS7799, on the other hand, is generally considered more practical and less likely to generate gratuitous paperwork. In its current version, advocates feel that it can be applied realistically by even small companies.
Kay Ruddeforth is business manager with BSI Global Quality Services, the commercial wing of BSI which, along with a handful of other bodies like Det Norske Veritas (DNV) and Lloyds Register Quality Assurance, offers to certify organisations for BS7799 compliance. She explains that BS7799 allows each organisation to "pick and mix" the relevant controls. "So a small company can choose only the controls that are relevant, as long as it can justify why it hasn't implemented the others."
Some say the standard still errs on the side of generality. Neil Barrett, technical director of security consultancy Information Risk Management, finds BS7799 useful in many respects, and commends it as "sane and comprehensible". But he says, "The standard asks, for example, if you've got an antivirus policy, but the policy might be to upgrade every week or every year - one of which is clearly adequate and the other not."
Accrediting scheme c:cure fills in some of the gaps, he concedes, by ensuring that auditors have a real-world appreciation of what constitutes an adequate policy, but Barrett would also like to see BS7799-approved procedures that reflect best industry practice - for example, recommending a monthly virus update, assuming that proved to be the optimal frequency.
But ISS's Black argues that its generality is what gives BS7799 a long shelf-life. "Obviously, new types of security breach are always going to need a rethink of security policies. Building security is a well-established discipline, but ram-raiding can catch them on the hop for a few weeks. Implementing BS7799 should mean you have a process in place for dealing with new types of threat."
What's involved in getting a certificate
So what does it take to get certified? Ruddeforth explains there are two stages to an audit. "The first stage is to review the company's risk assessment and how they decided which of the controls from BS7799 were relevant to them. Then, not more than six weeks later, we go back and look at the policies and procedures to see if they're working effectively and in accordance with the standard. That involves interviewing people working at the coal-face to see if, for example, passwords are being used as they're supposed to be."
The upshot is either a statement by the auditors that the requirement is met, perhaps with a recommendation of further work in specific areas, or a statement that the organisation doesn't meet the requirement.
How much work is involved in the audit? Ruddeforth estimates that the first stage takes about two days and the second about four days in a medium-size company. Of course, a lot more work goes on behind the scenes - a typical elapsed time for preparation might be six to nine months, she says, much of which would be devoted to risk-assessment. User organisations may choose to bring in security consultants to help with the preparation.
Insight Consulting is one of a number of firms in the security and IT industries that have decided to take their own medicine and get certified themselves as well as help other companies to do so. Partner Ian Glover says that although the company was already fairly confident about its technical security, this was still a non-trivial exercise. The firm went through a staged process - including scoping, gap analysis, statement of applicability, risk-assessment, improvement plan - and emerged with some worthwhile benefits along with its certification.
"The process clarified our approach and improved our procedures in areas like incident reporting," says Glover. Now the firm will be reassessed by certifying body DNV every six months to ensure continued compliance, and especially to make sure that policies and practice keep pace with any environmental changes.
Gaining a higher profile
Though BS7799 may lack visibility at the moment, that situation looks set to change. The new Data Protection Act, which came into force on 1 March 2000, may help to raise awareness. The Data Protection Registrar's document, Preparing For The New Act, states, "Reference to BS7799 may help data controllers assess the adequacy of their current security regime."
On the other hand, awareness of the Act itself is, at best, patchy, points out MIS-CDS's Kenward, who recently had a letter from a credit company that mentioned the 1984 Data Protection Act rather than the latest 1998 version.
Having implemented BS7799 could be a help in the case of a legal dispute. George Gardiner, a partner in the IT and telecoms group of law firm Tarlo Lyons, says, "In establishing whether a company is accountable for a breach of security, the courts will look to see whether it has employed adequate security methods.
Following BS7799 can at least indicate to the court that you're aware of the problems and are doing something to secure the company, using a recognised reference model." Of course, you would have to show that you'd implemented and were continuing to adhere to the model - official BS7799 certification might help here.
Insight's Glover points out that BS7799 could also be a useful aid to compliance with the corporate governance demands associated with the Turnbull Report. This fact might attract some attention from any directors who realise they can be personally liable if their companies don't give due attention to risk management.
Security issues relating to e-commerce - a new emphasis in the latest version of the standard - could also raise its profile. Smile, the Co-op's online bank, is among the first companies outside the security industry to have been certified under BS7799 (with help from Insight Consulting) and evidently hopes that emblazoning its Web site with the fact will reassure Net-shy customers.
"Smile is safe - it's the only Internet bank in the world to be accredited to BS7799 for information security management by the British Standards Institution," asserts its home page. Announcing the certification in January, Keith Girling, director of technology at The Co-operative Bank, said, "We knew the multi-levelled security surrounding our Internet systems was extremely robust, but it is very satisfying to know we have met all the rigorous requirements laid down by the BSI."
The growth of business-to-business e-commerce could give another fillip to BS7799. Malcolm Skinner, product marketing manager with Axent Technologies, expects to see large companies encouraging, if not forcing, smaller suppliers, partners and agents to get certified. "On the whole, the largest companies appreciate the value of information, and their obligation to look after information about third parties. They will be looking for an indication that other companies they share information with have taken steps to safeguard it. BS7799 is an obvious way of achieving that."
What are BS7799 and C:CURE?
BS7799 is the British Standard for information security management. It addresses the confidentially, integrity and availability of information and has two parts: a "code of practice" and a "specification".
First published in 1995, the standard appeared in a revised version last year. The 1999 version replaces references to "IT" with "information", and has been revised in other areas to make it clear that the information security issue is not restricted to the IT department but is a corporate responsibility. Controls specifically to address e-commerce have also been introduced.
The standard is looked after by a committee of the BSI's information arm BSI-DISC. Companies like Marks & Spencer and Shell were involved in the consultations that produced the standard, along with IT organisations like the CCTA and BCS.
As with other standards, two separate validation concepts apply: certification of organisations that comply with the standard, and accreditation of those bodies and individuals who audit organisations for compliance.
c:cure is a scheme for accrediting those who intend to audit organisations for compliance with BS7799, with accreditation paths for both certification bodies and individual auditors.
The scheme comes under the aegis of BSI-DISC and involves UKAS (the United Kingdom Accreditation Service), the BCS and IRCA (the International Register of Certified Auditors). Just to complicate matters, c:cure accreditation isn't mandatory for BS7799 certification bodies and auditors.
This was first published in April 2000