ISO 17799 BS 77992

1
ISO 17799 / BS 7799-2 STEP BY STEP
IMPLEMENTATION GUIDE
2
Overview
ISO 17799 / BS 7799-2 implementation guide
Project initiation
ISMS Definition
In this presentation you will see an overview of
the 8 main steps to follow when implementing the
ISO 17799 / BS 7799-2 standard. Theses steps are
explained in details in the Callio Secura 17799
Methodology module with graphics, power point
presentations and more.
Risk assessment
Risk management
Training and awareness
Preparing for the audit
Audit
Ongoing improvement
3
STEP 1
ISO 17799 / BS 7799-2 implementation guide
Project initiation

• Ensure the commitment of senior management.
• Select and train members of the initial project
  team

ISMS Definition
The various committees and teams associated with
the project are presented in the following
proposed structure
Risk assessment
Organizational Management Committee Manages
implementation
Risk management
Training and awareness
Implementation Committee Ensures development and
implementation
Implementation Support Group Ensures data
backup and employee training
Preparing for the audit
Working team
Working group Develops implementation
Working team
Audit
Working team
Working teams are created when necessary to
develop tools and procedures.
Ongoing improvement
4
STEP 2
ISO 17799 / BS 7799-2 implementation guide
ISMS Mandate Once a management committee has
been created, it must define the scope of the
information security management framework so as
to focus on the essential. The security perimeter
can cover either selected sections of an
organization or the entire organization. Keep in
mind that the ISMS must be under organizational
control. If the organization does not control the
ISMS, it will be unable to manage it efficiently.
In order to accurately define your ISMS, you
must clearly identify - Goal / Objective -
Scope - Boundaries / Limits - Interfaces -
Dependencies - Exclusions and Justification -
Strategic Context - Organizational Context
Project initiation
ISMS Definition
Risk assessment
Risk management
Training and awareness
Preparing for the audit
Audit
Ongoing improvement
5
STEP 3
ISO 17799 / BS 7799-2 implementation guide
Measure compliance with ISO 17799 controls Make
an initial assessment of the security status of
the management framework, in terms of the
controls, processes and procedures required by
ISO 17799. Asset Identification and Evaluation
The first stage of the information security risk
assessment process is the identification of
critical and/or sensitive data. Identification
and Evaluation of Supporting and Environmental
Assets Because information is an intangible
asset, it must be handled, processed, stored,
printed, disposed of and communicated through
tangible means. Therefore, the intangible assets
of an organization must be identified and their
value determined as a function of CIAL criteria
(Confidentiality, Integrity, Availability, Legal
requirements). Identification and Evaluation of
Threats and Vulnerabilities It is important to
identify the weaknesses of any asset that
supports the organizations critical information.
Such weaknesses are vulnerable to threats and can
therefore have a negative impact on information
(disclosure, corruption, destruction, legal
prejudice).
Project initiation
ISMS definition
Risk assessment
Risk management
Training and awareness
Preparing for the audit
Audit
Ongoing improvement
6
STEP 4
ISO 17799 / BS 7799-2 implementation guide
Project initiation
Risk management options 1- Risk Reduction 2-
Risk Acceptance 3- Risk Avoidance 4- Risk
Transfer Selecting Controls In most cases, risk
reduction is the option selected. Consequently,
objectives must be set, and controls
implemented. Risk management Plan The risk
management plan contains all the information
required for implementation management tasks
and responsibilities, the names of those in
charge, risk management priorities,
etc. Implementation of Controls The
organization must now implement the risk
management plan and monitor the implementation
of controls required in each information
environment to be protected.
ISMS definition
Risk assessement
Risk management
Training and awareness
Preparing for the audit
Audit
Ongoing improvement
7
STEP 5
ISO 17799 / BS 7799-2 implementation guide
Training and awareness building The organization
must ensure that all staff members having been
assigned a specific responsibility in the ISMS
are qualified and able to perform their tasks. In
this respect, the organization must - identify
the skills required by personnel working on
information security - provide appropriate
training and, if necessary, hire experienced
staff for this task - evaluate the
effectiveness of the training provided and the
actions undertaken - keep a record of the
education and training programs followed by each
employe as well as their abilities, experience
and qualifications. The organization must also
ensure that the necessary personnel are aware of
the importance of their information security
activities and of how they contribute to meeting
ISMS objectives. It is important to develop a
training and awareness program in order to
educate all employees. Employees must understand
and respect good information security
practices. Employees represent the cheapest
countermeasure against security violations.
Usually, they are the first to be affected by
security incidents. Employees aware of the
implications of security problems can prevent and
lower the impact of incidents when they occur.
Given the importance of all personnel in terms of
security control, staff awareness is extremely
important in any security program. Recognizing
and reporting any event that could represent a
security incident should become a reflex. This
is precisely the goal of the information security
awareness program. Involving employees in
information security greatly facilitates
protecting the business assets.
Project initiation
ISMS definition
Risk assessement
Risk management
Training and awareness
Preparing for the audit
Audit
Ongoing improvement
8
STEP 6
ISO 17799 / BS 7799-2 implementation guide
Project initiation
ISMS definition
ISMS Compliance Diagnostic BS 7799-2
certification requires the validation of
compliance with implementation specifications of
the management framework. Statement of
Applicability The statement of applicability
must be produced before the audit. This document
provides justification for the applicability or
non- applicability of each ISO 17999 control to
the ISMS in question. It also includes, where
applicable, each controls current
implementation status. In short, the
objectives, selected controls and grounds for
selection are therein explained, as are the
grounds for the exclusion of any measure listed
in the ISO 17799 standard.
Risk assessement
Risk management
Training and awareness
Preparing for the audit
Audit
Ongoing improvement
9
STEP 7
ISO 17799 / BS 7799-2 implementation guide
Project initiation
BS 7799-2 Certification Guidelines require that
the certification body proceed to an on-site ISMS
audit in no less than two stages, unless an
alternate approach can be justified (for
example, adapting the certification process to
the needs of a very small organization). The
audit is two-part 1- Documentation Audit
One of the goals of the documentation audit is
to allow the certification body to gain an
understanding of the ISMS in the context of the
organizations security policy, objectives and
approach to risk management. It can also serve as
a useful reference point when preparing for the
second audit and offers an opportunity to
evaluate how prepared the organization is for the
audit. 2- Implementation Audit The
implementation audit is guided by the conclusions
of the documentation audit report. The
certification body draws up the audit plan based
on these conclusions, which then allows the
implementation audit to begin. The audit takes
place at the site of the organization where the
ISMS is located.
ISMS definition
Risk assessement
Risk management
Training and awareness
Preparing for the audit
Audit
Ongoing improvement
10
STEP 8
ISO 17799 / BS 7799-2 implementation guide
Project initiation
Whether you are BS7799-2 certified or not, it is
important to regularly verify and improve your
management framework once it has been
implemented. Inspections and updates should be
performed regularly, as security is a field that
is ever-changing. For example, outdated
antivirus software is of very little use. The
PDCA Management Model The recent 2002
edition of the BS 7799-2 standard adopted the
Plan-Do-Check-Act model in order to be consistent
with other ISO standards that already use it,
such as ISO 9001 and ISO 14001.
Once applied to the ISMS management framework,
this model emphasizes the important fact that
risk management requires the implementation of a
cyclical management process in order to acheive
continual improvement of the ISMS.
ISMS definition
Risk assessement
Risk management
Training and awareness
Preparing for the audit
Audit
Ongoing improvement
11
Contact Us

• Callio Technologies
• 740 Galt West Street, Office 10
• Sherbrooke (Québec)
• J1H 1Z3
• CANADA 
• Telephone (819) 820-8222
• Toll free (North America)
• (866) 211-8222
• Fax (819) 820-9518
• Email info_at_callio.com
• Web http//www.callio.com

Callio Secura 17799 Compliance Software Our
expert software, is available in French, English,
Spanish and Traditional Chinese, and guides you
through each of the steps leading to ISO 17799
compliance and BS 7799-2 certification. Its many
functionalities, its user-friendly interface and
its flexibility make it an indispensable tool for
information security management.