BS7799 / ISO17799

What is information security?

What is BS 7799 / ISO 17799?

ISO/IEC 17799 (Part 1)

About ISO and the IEC

BS 7799-2 (Part 2)

History of the standard BS7799 / ISO 17799

Compliance, Certification and Accreditation

Who is ISO 17799 for?

Benefits of the BS7799 / ISO 17799 standard

Complementarity of BS7799 / ISO 17799

Complementarity with existing legislation

Available software tools and resources

Callio Secura 17799

Toolkit 17799

Complementarity with existing legislation

 

Many governments around the world are preparing or have adopted regulations prescribing how companies should manage and control information security. The aim is simple: compel management and boards of directors to be responsible for information security, and encourage them to display the same “due diligence” they devote to protecting their assets.

 

Such regulations include the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

 

RECENT

LEGISLATION

 

 

WHO IS

AFFECTED?

 

WHAT DO THE

SECURITY

PROVISIONS

COVER?

WHAT ARE

THE

PENALTIES?

 

WHEN IS IT IN

EFFECT?

 

Sarbanes-Oxley

Act of 2002

 

All public

companies

subject to US

security laws

 

Internal controls

and financial

disclosures

 

Criminal and

civil penalties

 

Current law

 

Gramm-Leach-

Bliley Act of

1999

Financial

institutions

 

Security of

customer

records

 

Criminal and

civil penalties

 

Current law

 

Health

Insurance

Portability and

Accountability

Act (HIPAA)

Health plans,

health care

clearinghouses,

and health care

providers

Personal health

information in

electronic form

Civil fines and

criminal

penalties

 

Final security

rule takes effect

in April 2005

 

 

The good news is that an organization that complies with any one of these regulations already possesses a concrete and practical example of an information security management system.

 

For example, HIPAA tackles the same subjects as the ISO 17799 standard while placing the emphasis on the protection of private information.

 

Similarly, the PDCA (Plan-Do-Check-Act) model in BS 7799-2 compares nicely with the four steps in GLBA:

 

  • Identify and assess the risks to customers’ information;

  • Develop a plan containing policies and procedures to manage and control those risks;

  • Implement and test the plan;

  • Adjust the plan on a continuing basis.

 

Finally, compliance with ISO 17799 and BS7799-2 can include the definition of policies and procedures for the security of a company’s sensitive information, as touched on in SOX.

Web Sites

Callio Technologies BS7799/ISO17799

BS7799 ISO17799 Security Standards

BS7799 ISO17799 Methodology

ISO17799 BS7799 Discussion Group

BS7799 ISO17799 Methodology Group