BS 7799

from Wikipedia, the free encyclopedia

The standard BS 7799-1 (BS = British Standard ) defines a “code of practice” for information security . The variant BS 7799-1: 1999 was adopted by ISO as ISO / IEC 17799 and later renamed to ISO / IEC 27002 . According to this standard, an internal audit of the company is possible, but no externally valid certification .

The BS 7799-2 (full name: BS 7799-2: 2002 (information security management systems - Specification with guidance for use) ), the specification for an information security management system ( ISMS ) is This management system fits in. a number of other international management systems ( ISO 9001 , ISO 14001 , ISO 20000 ). The BS 7799-2: 2002 standard was internationally standardized as ISO / IEC 27001 in 2005 .

Goal setting

BS 7799 was published with the aim of providing managers and employees of a company with a model that allows the introduction and operation of an effective ISMS . The introduction of an ISMS represents an essential strategic decision that is influenced by the corporate strategy and the business objectives of the company. The BS 7799 is used to check the organization. This also includes application by accredited certification companies.

History of origin

The Commercial Computer Security Center (CCSC) department of the Department of Trade and Industry (DTI) developed the so-called green books as a pioneer in the field of IT security management . On the one hand, they contained the British draft evaluation criteria for IT security and an associated evaluation and certification scheme. At the same time, a “code of good security practice” was developed, which resulted in the books User's Code of Practice (V11) and Vendor's Code of Practice (V31) . English Green Books were from February to November 1989 as preliminary (English: draft ) and has not got this status also.

In 1992 the British DTI appointed a commission. They should work with UK companies and organizations to evaluate accepted information security best practices. Firms included Royal Dutch Shell , British Telecom , BOC , Marks & Spencer , Midland Bank , Nationwide Building Society and Unilever .

The results were published in 1993 as the “Code of Practice”. This was adapted in 1995 by the British Standards Institute (BSI) and published as BS 7799: 1995. However, this version of the standard was not widely used, which is primarily due to its low flexibility. In 1998 a fundamental revision of the standard began. UK specific references have been removed and technical developments such as e-commerce have been added. The standard has been split into BS 7799-1: 1999 (Part 1) and BS 7799-2: 1998 (Part 2). In 2000 the International Organization for Standardization (ISO) adapted Part 1 to the ISO / IEC 17799: 2000 standard. In 2005 the standard was renamed ISO / IEC 27002: 2005.

With BS 7799-2: 1998 there was a specification against which testing and certification could take place. Two years later there were again significant changes to Part 2, including the introduction of the Plan-Do-Check-Act (PDCA) concept , which resulted in version BS 7799-2: 2002. The further development of BS 7799-2 is the international standard ISO / IEC 27001 , which has been an internationally valid certification basis since 2005.

Certification

Certification of information security is basically only possible in accordance with BS 7799-2: 2002. Certification according to ISO / IEC 17799 is fundamentally not possible as part of a qualified certification. Certification is then qualified if it is carried out by a company that is under the supervision of an accreditation company such as the United Kingdom Accreditation Service (UKAS) or the German Accreditation Service (DAkkS) . In the case of BS 7799 certification, a certificate is valid for three years. An interim audit (surveillance audit) takes place every six months. A complete recertification takes place after three years.

structure

0. Introduction

  • 0.1. General
  • 0.2. Process approach
  • 0.3. Compatibility with other management systems

1. Scope

  • 1.1 General
  • 1.2. application

2. Normative references

3. Definitions of terms

4. Requirements for an information security management system (ISMS)

  • 4.1. General requirements
  • 4.2. Introduction and management of the ISMS
  • 4.3. Documentation requirements

5. Management responsibility

  • 5.1. Management obligations

6. Management assessment of the ISMS

  • 6.1 General
  • 6.2. Assessment specifications
  • 6.3. Assessment results
  • 6.4. Internal ISMS audits

7. ISMS improvement

  • 7.1. Continuous improvement
  • 7.2. Corrective Action
  • 7.3. Preventive measures

Management system

Chapters 4 to 7 contain the organizational framework for the introduction and operation of the information security management system. These are essentially:

  • Internal revision
  • Review by management
  • Document control
  • Risk management

Appendix A.

Appendix A of BS 7799 provides a list of controls that are divided into both technical and organizational measures. This list of controls is contained in ISO / IEC 17799 in a more detailed level. Chapters 3 to 12 of ISO / IEC 17799-2000 correspond to Chapter A.3. up to A.12 of BS 7799-2: 2002.

See also

Individual evidence

  1. a b Jörg Völker: BS 7799. (PDF; 277 kB) From "Best Practice" to the standard. In: Data protection and data security (DuD). 2004, accessed on December 6, 2013 (No. 28, pp. 102-108).
  2. ^ DW Roberts: Evaluation criteria for it security. Computer Security and Industrial Cryptography, Volume 741. Springer, Berlin / Heidelberg 1993, pp. 149-161.