What is it?
BS 7799 has become the most widely adopted information security management standard in the world. Now known internationally as ISO 17799 and ISO/IEC 27001, the standards cover people, processes and IT systems, and help identify, quantify and manage threats to information.
The number of companies implementing ISO 27001 is increasing rapidly, and employers are seeking qualified staff, or paying for their own to be trained. There is also a demand for qualified people from security companies, and the organisations that audit and certify ISO 27001 compliance.
But working with these standards involves a management, rather than hands-on technical approach, and lacks the glamour of penetration testing. Much of the work consists of ticking boxes and making sure documents have been completed and filed correctly.
Where did it originate?
BS 7799 Part 1, written by the Department of Trade & Industry, was first published by the British Standards Institution in 1995. BS 7799 Part 2 followed in 1999.
Part 1 became ISO 17799, "Code of practice for information security management". Part 2 was adopted as ISO/IEC 27001 "Security techniques - information security management systems - requirements" in November 2005. Organisations involved in the development of the standards include the International Electrotechnical Commission (IEC), and the Organisation for Economic Co-operation and Development.
What's it for?
ISO/IEC 27001 covers all the steps in implementing an information security management system, from defining an information security policy, performing a risk assessment and selecting controls to be applied, to preparing a statement of applicability.
The controls are selected from ISO 17799, which has 10 sections covering issues such as system access control, personnel security, and business continuity.
The people who certify organisations carry out a two-stage audit, beginning with a review of key documentation, and then testing the effectiveness of the controls.
What makes it special?
From the organisation's point of view, ISO/IEC 27001 certification is increasingly required for government and corporate security contract work. The people who make their money training and certifying claim it can be a "deciding differentiator" in contract tenders.
How difficult is it to master?
You will need several years of general IT experience. A range of courses is on offer, generally teaching fundamentals of ISO/IEC 27001 in a three to five-day course.
Where is it used?
By the end of 2005, about 2,000 organisations were certified either for BS 7799-2 or ISO 27001.
What's coming up?
BS ISO/IEC 27001 is the first of the BS ISO/IEC 27000 series of security standards. BS ISO 17799 may be renamed ISO/IEC 27002.
First you need to get hold of the specifications, which aren't cheap (£90 for 34 pages in the case of ISO/IEC 27001). Many independent trainers teach ISO/IEC 27001, or you can take a BCS ISEB information security management qualification. Internationally recognised auditors' qualifications are offered by IRCA.
Rates of pay
Salaries for information security analysts start at £35,000, IT security managers can expect £40,000-plus, and security consultants and sales specialists can earn £60,000-plus.