Prsentation PowerPoint

1
BS 7799 / ISO 17799 Presentation
2
Outline

• What is BS 7799/ISO 17799?
• History
• Whos it for ?
• Implementation
• Tools and software

3
What is BS 7799/ISO 17799?

• .

• A set of controls based on the best practices in
  information security
• An international standard covering every aspect
  of information security
• Equipment
• Management policies
• Human resources
• Legal aspects.

4
BS7799 or ISO 17799 ?

• .

• ISO 17799 (part 1) is a guide containing
  controls and recommendations by which an
  organization can ensure the security of its
  information.
• BS 7799 (part 2) proposes measures for an
  efficient information security management
  framework. BS 7799-2 helps an organization
  establish an information security management
  system (ISMS) and thus prepare for the audit.

5
Qualities of BS 7799 / ISO 17799

• Scope of the standard
• Proven
• Public
• International
• A name associated with  quality 
• Evolutionary and flexible (adapts to each
  context)
• Availability of tools and support.

6
The Ten Key Contexts of ISO 17799
Security policy
Organizational security
Compliance
Asset classification and control
Business continuity management
Integrity
Confidentiality
Information
Personnel security
Systems development maintenance
Availability
Access control
Physical and environmental security
Communications and operations management
7
The Ten Key Contexts of ISO 17799
Organizational
1. Security policy
2. Organizational security
3. Asset classification and control
7. Access control
10. Compliance
4. Personnel security
5. Physical and environmental security
8. Systems development and maintenance
9. Business continuity management
6. Communications and operations management
Operational
8
Complementarity with Other ISO Standards
Complémentarité avec dautres normes ISO
Code of practice for information security
management ISO 17799
Products and systems certified by ISO 15408(CC)
Guidelines for the management of IT security
ISO13335 (GMITS)
9
History and Development of ISMS
History

September 2002
Updated version of BS 7799-2 (revised and
corrected)
2001
Review of BS 7799-2
December 2000
ISO/IEC 177992000
1999
Swedish standards SS 62 77 99 Parts 1 and 2
Updated version of BS 7799 Parts 1 and 2
1998
BS 7799 Part 2
1995
BS 7799 Part 1
10
Whos it for ?

• BS 7799/ISO 17799 can be used by any organization
  or company. If your organization uses computer
  systems internally or externally, possesses
  confidential data, depends upon information
  systems in the context of its business
  activities, or simply wants to adopt a high level
  of security while complying with a standard, BS
  7799/ISO 17799 is the solution.

11
Online Purchases of the ISO 17799 Standard
( by region)
23
18
9
35
6
Others 9
12
BS 7799 / ISO 17799 Audit and Certification

• ISO 17799 certification does not exist at the
  moment.
• A company can comply with ISO 17799 and then
  become BS 7799-2 2002 certified.
• The audit process can be documented
• Internal audit
• External audit (letter of opinion)
• BSI Registrar (official certification)

13
List of Certified Firms

• Over 80 000 firms around the world are BS
  7799/ISO 17799 compliant
• Fujitsu Limited
• Insight Consulting Limited
• KPMG 
• Marconi Secure Systems 
• Samsung Electronics Co Ltd
• Sony Bank inc. 
• Symantec Security Services 
• Toshiba IS Corporate

14
Advantages

• Compliance with governance rules for risk
  management
• Better protection of the companys confidential
  information 
• Reduced risk of hacker attacks 
• Faster and easier recovery from attack.

15
Advantages (contd)

• Structured security methodology that has gained
  international recognition
• Increased mutual confidence between partners
• Potentially lower premiums for computer risk
  insurance
• Improved privacy practices and compliance with
  privacy laws.

16
Management Approach (PDCA Model)
17
Methodology and Implementation Cycle
18
Methodology and Implementation Cycle (contd)
19
Continual Improvement
20
Deliverables ISO 17799
Deliverables ISO 17799
21
Potential Obstacles Success Factors

• Dedicated personnel and resources
• External expertise
• Good understanding of risk management functions
  (management) and processes (operations)
• Frequent communication
• Manager and employee awareness
• Commitment from upper management
• Structured approach.

• Fear, resistance to change
• Risk of contiguity
• Increased costs
• Insufficient knowledge for the approach selected
  
• Seemingly insurmountable task.

22
Implementation - Callio Secura 17799
23
Callio Secura 17799 Demonstration
24
References

• BSI documents (www.bsi.org.uk/index.xhtml)
• Information Security Management An Introduction
  (PD3000)
• Provides an overview of the accredited
  certification process and serves as a useful
  preface to the other guides.
• Guide to BS7799 Risk Assessment and Risk
  Management (PD3002)
• Describes the concepts underlying the BS 7799
  risk assessment, including terminology, the
  evaluation process and risk management.
• ISO/IEC Guidelines for the Management of IT
  Security (GMITS)
• Selecting BS7799 Controls (PD3005)
• Describes the process for selecting appropriate
  controls.

25
Conclusion
For more information on the BS 7799/ISO 17799
standard, visit us online at www.callio.com or
call a representative at 1-866-211-8222.