•  Information Security Management System (ISMS)
Part 1 (The assessable and certifiable standard)
BS ISO/IEC 27001:2005 (BS 7799-2) Information technology. Security techniques. Information security management systems. Requirements

ISO/IEC 27001:2005 (formerly BS 7799-2:2002) is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected. The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties including an organization's customers.

Covering all types of organizations from commercial enterprises, government agencies to non-profit organizations, this international standard provides a specification for ISMS within the context of the organization's overall business risks and the foundation for third party audit and certification.

Harmonized to work with other management system standards such as ISO 9001 and ISO 14000, BS ISO/IEC 27001:2005 assists in the integration and operation of an organization's overall management system.

It is suitable for several different types of organizational use, including the following:

•  Formulation of security requirements and objectives
•  To ensure that security risks are cost effectively managed
•  To ensure compliance with laws and regulations
•  As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met
•  Identification and clarification of existing information security management processes; To be used by management to determine the status of information security management activities
•  To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization
•  To provide relevant information about information security policies, directives, standards and procedures to trading partners
•  To provide relevant information about information security to customers.

BS ISO/IEC 27001:2005 supersedes BS 7799-2:2002.

Part 2 (Best Practices)
BS ISO/IEC 17799:2005 Information technology. Security techniques. Code of practice for information security management

The ISO/IEC 17799 Code of Practice for Information Security Management establishes the guidelines and general principles for organizations to initiate, implement, maintain, and improve information security management.

Recognized and adopted by industry professionals worldwide, this universal code of practice provides a complete set of guidelines and principles for an effective ISMS and information security policy. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:

•  Security policy
•  Organization of information security
•  Asset management
•  Human resources security
•  Physical and environmental security
•  Communications and operations management
•  Access control
•  Information systems acquisition, development and maintenance
•  Information security incident management
•  Business continuity management
•  Compliance.

The latest revision takes into account changes in technology, working practices and security techniques, which enable organizations to develop, implement and measure effective security management practice.

This standard also provides additional controls together with the revision of existing ones, bringing the total to 134 controls.

More user-friendly and accessible than ever before, BS ISO/IEC 17799:2005 firmly puts best practice into an international context.

BS ISO/IEC 17799:2005 supersedes BS 7799-1:2000.

Implementing the ISMS

The typical implementation process includes:

•  Getting the organization to become aware of the standard
•  Procurement of the standard
•  Requisite training of people to comply, apply and develop insight to improve security within the organization as per its needs.
•  Creating and defining the organization structure to undertake the implementation.
•  Carrying out a “Risk Assessment” exercise, resulting in a “Risk Treatment Plan”, and formal acceptance of residual risk.
•  Selection of relevant controls, defining the control objectives, defining and formally documenting the policies, procedures and practices to implement the controls resulting in a document called the “Statement of Applicability”.
•  Carrying out the implementation and its review.
•  Selecting a certification body and getting an independent assessment seeking assurance and compliance to the standards practices, leading to a certification.
•  Following through with a continual assessment to establish continuing conformance.

The standard is very fundamental and has the “Deming” PDCA, plan, do, check, and act principle built in, which puts a continuing conforming organization to be in a continuing evolving and improving cycle.

Upon completion of the implementation phase which results in integrating ISMS into the day to day business processes, staff-training and formulation of an on-going programme of ISMS maintenance, the companies need to look at getting a certification by taking services of one of the accredited certification bodies to carry out an audit of the ISMS.

The certificate carries a validity of three years after which the ISMS needs to be re-certified, for which the certification body visits the ISMS site on a regular basis (e.g. every 6-9 months) to carry out a surveillance audit.

Benefits of certification include better credibility amongst cutomers; less chances of an occurance of a security breach; legal compliance; commitment at all levels within the organization; better knowledge of information systems, their weaknesses and how to protect them and a regular assessment process helps companies to continually use, monitor and improve management system and processes.