Differences Between BS 7799 and BS7799-2
BS 7799 - the Code of Practice for establishing an Information Security Management System (ISMS) - is rapidly being adopted by many UK and international businesses who have recognised the need to demonstrate effective protection of their own, and their customers', information.
This adoption led, in December 2000, to the International Standards Organisation (ISO) publishing BS 7799: Part I as an international standard. It is known as ISO/IEC 17799:2000.
What's not in the ISO standard
This adoption led, in December 2000, to the International Standards Organisation (ISO) publishing BS 7799: Part I as an international standard. It is known as ISO/IEC 17799:2000.
The ISO standard currently provides guidance on 127 security 'controls' that are structured under ten major headings. The information provided for each control is intended for guidance only.
Some confusion still arises, however, from the fact that there is a second part to BS 7799. This is a separate publication and covers Information Security Management Systems. It is not currently an ISO document.
Compliance and certification
Users of the standard need to carry out a risk assessment to identify which controls are relevant to their own business environment, and how they should be implemented. It should be noted that the requirement for a risk assessment is mandatory within BS 7799:Part II.
As well as covering security for computers and networks, ISO/IEC 17799 also provides guidance on security policies, staff security awareness, business continuity planning, legal requirements and overall assurance.
The ISO Standard and BS 7799 Part II should be considered as a working 'pair' with distinct purposes as follows:
•ISO/IEC 17799:2000 (formerly BS 7799 Part I) is the Code of Practice and can be regarded as a comprehensive catalogue of guidance on what constitutes good security practice.
•BS 7799-2:2002 (Part II) summarises the same 127 ISO controls and additionally provides a specification for an Information Security Management System (ISMS). An ISMS is the means by which Senior Management must monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements.
It is important to note that formal certification must always be carried out against BS 7799 Part II. This will continue to be the case until the publication of a fully ratified ISO equivalent of BS 7799 Part II.