Prior to a BS 7799 audit it is worth remembering the Boy Scouts' adage: "Be Prepared". A small number of companies fall at the very first step simply because they have failed to prepare adequately.
For example, an organisation that has failed to complete a risk assessment cannot realistically expect to gain certification. In the same way, an organisation unable to demonstrate that its system works - by way of its own internal reviews - is unlikely to pass an external audit.
Organisations need to have established an information security management framework prior to agreeing dates for the assessment. This means you should have defined the security policy and the scope of the Information Security Management System (ISMS); undertaken a risk assessment; produced a statement of applicability; and identified the objectives and controls to be implemented.
An auditor will expect to see documentation supporting the implementation and management of the ISMS and records of the operation of the system. Both an electronic- and a paper-based ISMS will typically include:
It is typical to expect an organisation to have records from a minimum of three months for a certification body to audit against. A certification body will be looking to judge how well the records demonstrate the effectiveness of the system.
It is important to have senior management involvement in the preparation of the ISMS and in the audit process and there should be a champion on the board who can explain the reasons for the development of an ISMS. Managers must demonstrate commitment and leadership and ensure everyone understands that information security is not just an IT issue but a critical business issue which affects the long-term success and indeed survival of the company.
Many recent surveys have shown that breaches in information security can be extremely expensive and time consuming and can potentially jeopardise the reputation of a company.
Status of your system
The purpose of the certification body's assessment is to confirm compliance with the standard rather than prove non-compliance. It is therefore in your interest to know the status of your ISMS by undertaking regular internal security reviews and management audits.
The points mentioned above form the basis of an ISMS - you need to have these complete before proceeding to the next stage.
The audit process is a two-stage process, each of which will require a separate visit. In stage one the auditor will review the security policy, risk assessment, statement of applicability and the ISMS documentation. Stage two will involve an assessment of the implementation and effectiveness of the ISMS.
Facilitating the process
A facilitator or guide should be provided for the auditor. These are people who will be able to assist the auditor in understanding the company structure and the ISMS. Many people find the auditing process to be intimidating and stressful and a good guide will facilitate the auditing operation, acting as a go-between to assist both the external auditor and staff.
The selection of the guide can be critical to the process. A good guide will help smooth the way - a poor guide can create stressful situations. Those organisations that have used consultants to establish the ISMS may find it useful to have these on-site during the audit and where appropriate act as guides. However, the certification body is looking for how well the company understands the ISMS and not how well the consultant understands it.
Keep people informed
Staff must be fully briefed prior to the visit using the most appropriate methods available. It is important to convey to employees the nature of the audit and that the process has not been designed to inflict judgement on their personal performance, rather it is an investigation of the system. Indeed, for maximum benefit to be gained, staff should be encouraged to participate and learn from the process which, in turn, should lead to system improvements.
Internal debriefing sessions following the audit can provide a useful and constructive forum to discuss the results, share experiences and to pool ideas - but should not be used to point the finger or buck pass if the result was not the one expected!
A certification body will provide a daily audit programme in advance of the visit but this should not be seen as set in stone. Depending on the progress of the audit, it is not always possible to define a fixed start, finish and duration time, so some flexibility will be required from the company. The assessor should be equally flexible if an urgent situation arises in the company which requires changes to the programme.
It is hoped with careful preparation and the involvement and commitment of senior management that the company will be successful and gain approval to BS 7799. However, if this is not the case and the auditor raises a non conformance, you will have the opportunity to discuss the validity of the non-conformance with your auditor.
Your certification body will have an appeals procedure if you are unable to reach agreement. However, the auditor should be constructive in his findings and should help you to regard non-conformances as an opportunity to improve your system.
Gerry Ashton is IT sector specialist at Lloyd's Register Quality Assurance (LRQA) assessment and certification services to BS 7799. Contact LRQA on 0800-783 2179.
Implementing best practice in security
BS 7799 was spearheaded by the Government through the DTI and was first published in 1995. According to Chris Blyth, spokeswoman at LRQA, it enables organisations to implement best practice in information security management.
She says, "Companies which have developed an Information Security Management System (ISMS) that conforms to BS 7799 demonstrate a commitment to information security. This certification will give organisations key advantages over competitors by providing invaluable additional credibility. It enables an organisation to make a public statement of capability without revealing its security provisions or opening its systems to second party audits. It will also give the organisation itself the confidence in the integrity and security of its own systems and processes as measured against the best industry practices."