ISO 17799

If your information‘s

not safe,

your future‘s not secure

SECURITY
INFORMATION
IF YOU AREN‘T MANAGING RISK,

YOU SHOULD BE

The issue of information security sees organizations of all

Information Security

sizes and from all sectors, with an identical problem – their

inherent vulnerability.

No matter how secure and well protected an organization

appears to be, sensitive information can be leaked without
you even realizing until it’s too late.

All information in all departments, whether on computer

disk, paper or in the heads of those you employ, is at risk
from any number of very real threats. Information security
is no longer just an issue for IT managers - a single breach
of information security could cost you your hard earned
profits while doing irreparable damage to your image and
reputation. Your capacity to trade profitably depends on
your ability to manage this risk effectively.
As the number of reported information security breaches
consistently increases, the need for a structured approach
to management of information security intensifies. An
Information Security Management System (ISMS) based on
ISO 17799 will provide a well-proven
framework to initiate, implement,
maintain and manage information
security within any organization.
Once you start using ISO 17799 as a
basis for you ISMS, your management
system can be audited and registered
by a third party, such as BSI, Inc. This
process adds significant value to the
ongoing effectiveness of the system.

I S O 1 7 7 9 9
FEATURES AND BENEFITS OF ISO 17799

Due to the all encompassing nature of ISO 17799, we have
highlighted the key areas you would have to address when using the
ISO 17799 Information Security Management System (please check the
box if this is something you already do);
❏ Security Policy – Do you have a document to demonstrate
management support and commitment to the Information Security
Management System process?
❏ Security Organization – Do you have an established management
framework to initiate and control the implementation of
information security within your organization and to manage your
ongoing information security provision?
❏ Asset Classification and Control – Do you have a comprehensive
inventory of assets and assign responsibility to ensure that effective
security protection is maintained?
❏ Personnel Security – Do you have well defined job descriptions for
all staff outlining security roles and responsibilities?
❏ Physical and Environmental Security – Do you have a clear and
concise definition of the security requirements for your premises
and the people within them?
❏ Systems Development and Maintenance –
Do you ensure that IT projects and
support activities are conducted in a
secure manner through data control and
encryption where necessary?
❏ Business Continuity Management – Do
you use a managed process for developing
and maintaining business contingency
plans which protect critical business
processes from major disasters or failures?
❏ Compliance – Can you demonstrate to
clients, employees and the authorities
your commitment to meeting statutory
or regulatory information security
requirements?
So how did you do? If this exercise
highlighted areas where you think you
need to improve, contact BSI, Inc.

❏ Communications and operations management – Do you optimize

your communication skills to facilitate smooth operation of your
Information Security Management System?

❏ Access Control – Do you have network management to ensure that

only those with the appropriate responsibility have access to
information in the networks and the protection of the supporting
infrastructure?
IMPLEMENTING AN ISO 17799 INFORMATION
SECURITY MANAGEMENT SYSTEM WITH BSI, INC.

There are key steps that every company implementing an Information

Security Management System will need to consider:

Before you can begin preparing your system, you will require a copy of the standard.
PURCHASE THE
You should read this and make yourself familiar with it. Copies can be purchased from
STANDARD
www.ceem.com.

There are training courses available to help you implement and assess your Information
CONSIDER
Security Management System. Training is offered by www.ceem.com.
TRAINING

You should begin the entire implementation process by preparing your organizational
ASSEMBLE A TEAM
strategy with top management. At this stage you should determine the scope of your
AND AGREE
registration – whether the system will be adopted company wide, or by one or more
YOUR STRATEGY
departments.

You can receive advice from independent consultants on how best to implement your
REVIEW
information security management system. They may have experience in implementation
CONSULTANCY
that can help you avoid costly mistakes.
OPTIONS

During this phase you should undertake a review of all potential security breaches. This
UNDERTAKE A
should not relate solely to IT systems, but should encompass all sensitive information within
RISK ASSESSMENT
your organization.

This will demonstrate management support and commitment to the Information Security
DEVELOP A
Management System process.
POLICY DOCUMENT

Put together a Statement of Applicability and Procedures to support your security policy.
DEVELOP
This will cover a range of areas including asset classification and control, personnel security,
SUPPORTING
physical and environmental security and business continuity management.
DOCUMENTS

The key to implementation is communication and training. During the implementation

IMPLEMENT YOUR
phase everyone begins operating to the procedures of the management system.
INFORMATION
SECURITY
MANAGEMENT SYSTEM

The registrar is the 3rd party, like BSI, Inc. who comes and assesses the effectiveness of your
CHOOSE
Information Security Management System, and issue a certificate if it meets the
A REGISTRAR
requirements of the standard.

You should arrange your assessment with your registrar. At this point the registrar will
GAIN
review your Information Security Management System and determine whether you should
REGISTRATION
be recommended for registration.
 There are 8 steps to achieving certification to
THE REGISTRATION
ISO 17799 with BSI, Inc.
PROCESS

You will be asked to complete a company

INITIAL profile. Our professionals will do everything
INQUIRY they can to help you do this.

BSI, Inc. will forward a detailed proposal for the delivery of

QUOTATION the assessment.
PROVIDED

You submit a formal application to BSI, Inc.

APPLICATION
SUBMITTED

Your principal contact with BSI, Inc. throughout the

CLIENT MANAGER registration process and beyond will be appointed. They will
APPOINTED have knowledge concerning the nature of your business and
will offer support whilst you develop your system.

An optional pre-assessment audit can be undertaken to

PRE-ASSESSMENT review your Information Security Management System and
to establish your readiness for assessment.

BSI, Inc. conducts a ‘desktop’ review of the Risk Assessment,

PHASE 1 -
Policy, Scope, Statement of Applicability and Procedures.
UNDERTAKE A
This will identify any weaknesses or omissions which need
REVIEW
resolving.

Your Client Manager conducts an on-site audit, then makes

PHASE 2 -
formal recommendations to the certification managers.
UNDERTAKE A
FULL AUDIT

On successful completion, a certificate of registration is

REGISTRATION issued. Once you have received registration and been
CONFIRMED awarded your certificate, you can begin to advertise your
success and promote your registration.

Your registrar will periodically check your ISMS to ensure that it continues to meet the
CONTINUAL
requirements of the standard. Your certificate remains valid for three years. At the end of
ASSESSMENT
three years your certificate will be extended on condition of a positive reassessment.
 G L O B A L M A N A G E M E N T S Y S T E M S

Added value through integration

If your company is among the 400,000 worldwide

who operate using other management systems,

for example, ISO 9000 for quality management

or ISO 14001 for environmental management,

you can integrate an ISMS with one of these

established management systems.

By doing this you will not only make the

ISMS easier to manage, you will also be
able to take advantage of BSI’s Integrated
Assessment Service.

BSI’s Integrated Assessment Service (IAS) is

A WELL PROVEN designed to help organizations achieve and
FRAMEWORK TO maintain registration to a number of
management system standards cost
INITIATE, IMPLEMENT, effectively and with minimal disruption to
MAINTAIN AND work activity. So, should you want to
demonstrate your commitment to quality
MANAGE INFORMATION
(ISO 9000), the environment (ISO 14001) or
SECURITY WITHIN YOUR health & safety (OHSAS 18001) alongside
information security (ISO 17799) to create a
ORGANIZATION
total management solution, we can help
you do it seamlessly with little or no
disruption.

Our service is backed by a pool of specialists

with unrivalled knowledge and expertise,
and by an extensive choice of training
courses and seminars designed to maximize
your progress.

BSI -
PROVIDING SOLUTIONS,
PRODUCING RESULTS
When you choose BSI as your business
partner, you are also choosing an
international reputation for excellence.
As the largest and most respected
management systems registrar in the
world, we have office locations around
the world, and are regarded universally
as a global service provider of the
highest quality and integrity.
In addition to management systems
registration, BSI offer a plethora of
complementary services that provide
real added value, including the
development of schemes, systems
assessment, product testing, training
courses and seminars.
Here are some more reasons to
choose BSI:
• Internationally experienced
assessment staff who undergo
the most thorough training
and qualification process of
any other registrar, to ensure
that when they visit your
company they understand the
needs and specific
requirements of your industry
• Our registration service is
accredited by an independent
accreditation service, ensuring
integrity of the registration WHEN YOU CHOOSE
decision
BSI AS YOUR BUSINESS
• Use of the highly regarded and
powerful BSI Registered Logo PARTNER, YOU ARE
• Entry into our business partners ALSO CHOOSING OUR
database used by the most
discerning buyers INTERNATIONAL
REPUTATION FOR
EXCELLENCE
I n f o r m a t i o n S e c u r i t y

I S O 1 7 7 9 9

BSI, Inc.

12110 Sunset Hills Road, Suite 140

Information
Reston, VA
20190
Security
USA

Tel: 800 862 4977 • 703 437 9000

Management
Fax: 703 437 9001

inquiry@bsiamericas.com
Systems
www.bsiamericas.com

BSIUSA19/MS/0202/E