BS 7799

From The Secure Arc Wiki

Jump to: navigation, search

Some of the following information is referenced from wikipedia, reproduced in accordance with the GNU Free Documentation License

BS 7799 was a standard originally published by the British Standards Institute (BSI) in 1995. It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and after several revisions, was eventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of practice for information security management." in 2000. ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007.

A second part to BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled "Information Security Management Systems - Specification with guidance for use." BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2, which later became ISO/IEC 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.

BS7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.

The following information gives a brief account of the BS 7799-2 standard. Each requirement of the standard can be broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.


Standards Outline

Please refer to the outline of ISO 27001;

Standard Practice

Certification involves;

  • Stage 1 is a "table top" review of the existence and completeness of key documentation such as the organization's security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP).
  • Stage 2 is a detailed, in-depth audit involving testing the existence and effectiveness of the information security controls stated in the SoA and RTP, as well as their supporting documentation.
  • Stage 3 is a follow-up reassessment audit to confirm that a previously-certified organization remains in compliance with the standard. Certification maintenance involves periodic reviews and re-assessments to confirm that the ISMS continues to operate as specified and intended.

Licensing and Documentation

Documentation associated with the BS7799-2 standard does not permit public distribution or reproduction. As the standard is now replaced, please refer to the ISO 27001 standard. It is available from the BSI website.


Personal tools