"The revised BS7799 Part 2 Code of Practice for Information Security Management Systems gives guidance on how to create an information security management system and identifies critical success factors that an organisation must achieve if it is to successfully implement information security," says Willie List, chairman of the BCS Security Expert Panel.
"In particular, it has introduced a plan-do-check-act model for creating and maintaining an effective information security management system. This will ensure that such systems are harmonised with other management systems in an organisation."
List gives examples of what the plan-do-check-act tasks include:
- Plan: define the scope of the information security management system, identify and assess the business risks
- Do: implement agreed risk treatment activities and appropriate controls
- Check: monitor the performance of controls, review risk levels in the light of changing circumstances, perform internal information security management system audits
- Act: implement improvements in the information security management system process, implement modifications to the controls as necessary to meet changing circmstances.
This last point underlines a key aim of the revision of the standard: to highlight the need to continually improve the process of security management and continually assess security procedures in the light of changing business requirements, technology threats and new circumstances.
The BCS says the revision has greatly clarified other parts of the standard. It has also cleared up some of the confusion surrounding its relationship to the international standard in this field and the newly revised guidelines from the Organisation for Economic Co-operation and Development.
"Commerce and society depend on automated processing, and part of the responsibility of IT professionals is to ensure adequate defence against
ill-intentioned people, hackers and fraudsters, as well as the hazards of hardware and software failure," List says. "The concept of an information security management system as set out in the revised standard will help all professionals achieve this objective.
"We commend this standard to all who seek to establish effective information security."