There is little doubt that security standards are not being readily adopted among the business community.
With the DTI threatening to make BS7799 a legal requirement, however, businesses will soon need to bite the bullet and take on what is often perceived to be the onerous task of creating and maintaining information security policies and procedures.
Many reasons are given for not putting forward a business for certification. The usual issues of time, cost and a lack of resources are all cited obstacles that can’t be overcome, but a slight shift in the perception of information security highlights just how weak this reasoning is.
The implementation of corporate systems can take months to reach the point of completion, arguably incurring thousands of pounds of consultancy fees along the way. This, it seems, is widely accepted as the norm. Why then, is it that businesses insist on a quick fix for security?
Even the security sector has been distracted by these perceived obstacles. Although Integralis was one of the first UK consultancies to gain BS7799 certification it is still, by no means, a given that a business operating in the security sector will have gained the standard.
The notion that obtaining certification is a time-consuming exercise is misguided. In Integralis’ case the route to BS7799 comprised just two visits from the certification body. During the first visit the scope of the Information Security Management System (ISMS) was confirmed and weaknesses (potential and specific) identified.
This was followed weeks later by an audit of the business’ response to the initial report, the findings of which were summarised and the report independently reviewed before being sent to the DTI.
Certification has proved to be essential in allowing the demonstration of policies and procedures at any given time, a great advantage both for the certified organisation and its customers alike.
It has raised the profile of security across the business, encouraging involvement from all employees and bringing security issues to the forefront of their minds.
One problem common throughout all poor information security strategies complacency. It’s vital that gaining certification is viewed as the first step on the ladder towards a consistently high level of information security. The work must continue to ensure that the business remains compliant, otherwise the investment in time, money and resources will have been wasted come the next audit.
The rewrite of BS7799 part 2 means that the processes of maintaining the standard must be displayed to obtain certification, so in this respect, BS7799 is now easier to run than in its earlier forms.
The process of gaining certification need not be an expensive one. It is simply a matter of taking the existing policies and procedures and bringing them in line with the BS7799 framework. Likewise, timing is not an issue, given the amount needed to tend to security needs outside of a guiding framework which are, arguably, less structured, less tangible and less effective.
In terms of resources, it is important to recognise the very real benefit of increased awareness of information security issues that will permeate the business at all levels.
BS7799 has, and will, continue to provide a tangible means of improving information security.
What do you think?
Will the BS7799 benefit your business? Tell us in an e-mail >> CW360.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Graham Jones is UK country manager at Integralis, a content security company.
This was first published in April 2003