The British Standard 7799 (BS 7799) is a standard that offers a code of practice and provides guidelines on how to protect an information system. It includes a management framework, objectives, and control requirements for information security management systems (ISMS).

History and Development

BS 7799 was originally published by the British Standards Institution (BSI) in 1995. The standard was created to address the growing need to protect information in an increasingly digital and connected world. BS 7799 was developed to offer a consistent and practical framework for information security management.

Structure of the Standard

BS 7799 consists of two main parts:

1. BS 7799-1: Code of practice for information security management. It provides detailed guidance on a wide range of security controls that can be applied to manage information security risks.
2. BS 7799-2: Specification for information security management systems. It defines the requirements for establishing, implementing, maintaining, and continually improving an ISMS. It is intended for use by organizations that wish to formalize and certify their ISMS.

Objectives and Controls

BS 7799 aims to protect the confidentiality, integrity, and availability of information. Some of the main objectives include:

• Risk management: Identifying, assessing, and treating information risks.
• Access control: Ensuring that only authorized persons can access information.
• Physical and environmental security: Protecting information from physical and environmental threats.
• Human resources management: Ensuring that employees understand their security responsibilities.
• Business continuity: Preparing for and responding to incidents that could disrupt business operations.

Implementation

The implementation of BS 7799 requires a thorough assessment of information risks and the adoption of appropriate controls to mitigate those risks. The typical implementation process includes:

1. Risk assessment: Identifying information risks and assessing their impact.
2. Selection of controls: Choosing the appropriate security controls to mitigate identified risks.
3. Implementation: Applying the selected controls and ensuring they are operational.
4. Monitoring and review: Continuously monitoring the effectiveness of controls and reviewing the information security management system to improve its effectiveness.

Certification

An organization can obtain BS 7799 certification by demonstrating compliance with the standard’s requirements through an independent assessment. Certification provides assurance to stakeholders that the organization has implemented effective information security management practices.

Evolution

BS 7799 has had a significant impact on information security management globally. It was subsequently adopted as the basis for the international standard ISO/IEC 27001, which continues to be widely used today.

Conclusion

BS 7799 has played a crucial role in defining information security management practices and continues to influence current standards. By implementing the guidelines and controls of BS 7799, organizations can better protect their information and reduce the risk of security breaches.