Security Basics mailing list archives
RE: 7799?
From: David Brown <davidbrown () coal gov uk>
Date: Tue, 4 Nov 2003 17:25:07 -0000
You'll probably find that the bulk of the work involves defining the business processes behind the organisation. Policy writing, risk analysis, change management etc will be the bulk of the work and that stays pretty much the same for all organisations regardless of size. Bear in mind that even if you think that large chunks of the standard dont necessarily apply to your organisation, you have to justify that decision as part of the accreditation process. BS7799 isn't just about IT security measures, its about how you manage, maintain and develop your Information environment as a whole. Just identifying your risks and control objectives will be a major piece of work before you even start to define your actual controls and document them. As an example our control framework document - listing all our areas of risk, the associated control objectives and the outline controls for each one ( ie "We need a policy for this and we need to maintain it correctly." ) runs to 40 pages. We arn't a large organisation either, < 200 employees. The best approach is to work through the ISO documentation, starting with the "Guide on selection of BS7799 controls" and use that as your template to identify areas of risk where you may need to define a control objective. A lot of risks are predefined but you'll still have to think through your business processes to make sure you identify any that are unique to you. Use the the "Guide to BS 7799 Risk Assessement and Risk Management" to develop your risk assesement framework and run it against the risks you found in the first stage. Where your risk assesment indicates they are needed, define your control objectives and then develop your controls. Its probably overkill for a really small organisation but you might want to take a look at COBIT as well, Control OBjectives for Information Technology. Finally, you really will need buy in from senior management or its equivalent to do this, since it will almost certainly mean changes to the way the organisation works and manages it's information. Many of those changes will be far more proscriptive than they are used to. Especially in a small outfit. Once you've got all that done your ready to start thinking about accreditation and audit :) Dave Brown, -----Original Message----- From: jm [mailto:jm () mindless com] Sent: Monday, November 03, 2003 11:24 PM To: security-basics () securityfocus com Subject: 7799? Hi I have been asked to look at getting a small organisation up to 7799 accreditation standards in a short time span. They have minimal systems; email, internet access, CRM Database, on 2 servers, and around 10 pc s, so the quantity of work should not be too much. I realise that an approved external accreditation body has to perform the certification process, and have a fair bit of knowledge of the work required, but I am starting from a blank sheet, so I would like to know is if anyone on the list would have any reference templates/checklists/procedures available for sharing. I have got the BSI/ISO documents, so they are a good start, but would appreciate all the help that can be got. Thanks in advance JM --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- **************************************************************************** This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s) please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error please notify us by e-mail or telephone ((+44) 01623 427162) and then delete the e-mail and any copies of it. This communication is from The Coal Authority whose principal address is at 200 Lichfield Lane, Berry Hill, Mansfield, Notts, NG18 4RG, England. **************************************************************************** --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------