Professional Documents
Culture Documents
If your information‘s
not safe,
YOU SHOULD BE
I S O 1 7 7 9 9
FEATURES AND BENEFITS OF ISO 17799
Due to the all encompassing nature of ISO 17799, we have ❏ Systems Development and Maintenance –
highlighted the key areas you would have to address when using the Do you ensure that IT projects and
ISO 17799 Information Security Management System (please check the support activities are conducted in a
box if this is something you already do); secure manner through data control and
encryption where necessary?
❏ Security Policy – Do you have a document to demonstrate
management support and commitment to the Information Security ❏ Business Continuity Management – Do
Management System process? you use a managed process for developing
and maintaining business contingency
❏ Security Organization – Do you have an established management
plans which protect critical business
framework to initiate and control the implementation of
processes from major disasters or failures?
information security within your organization and to manage your
ongoing information security provision? ❏ Compliance – Can you demonstrate to
clients, employees and the authorities
❏ Asset Classification and Control – Do you have a comprehensive
your commitment to meeting statutory
inventory of assets and assign responsibility to ensure that effective
or regulatory information security
security protection is maintained?
requirements?
❏ Personnel Security – Do you have well defined job descriptions for
So how did you do? If this exercise
all staff outlining security roles and responsibilities?
highlighted areas where you think you
❏ Physical and Environmental Security – Do you have a clear and need to improve, contact BSI, Inc.
concise definition of the security requirements for your premises
and the people within them?
Before you can begin preparing your system, you will require a copy of the standard.
PURCHASE THE
You should read this and make yourself familiar with it. Copies can be purchased from
STANDARD
www.ceem.com.
There are training courses available to help you implement and assess your Information
CONSIDER
Security Management System. Training is offered by www.ceem.com.
TRAINING
You should begin the entire implementation process by preparing your organizational
ASSEMBLE A TEAM
strategy with top management. At this stage you should determine the scope of your
AND AGREE
registration – whether the system will be adopted company wide, or by one or more
YOUR STRATEGY
departments.
You can receive advice from independent consultants on how best to implement your
REVIEW
information security management system. They may have experience in implementation
CONSULTANCY
that can help you avoid costly mistakes.
OPTIONS
During this phase you should undertake a review of all potential security breaches. This
UNDERTAKE A
should not relate solely to IT systems, but should encompass all sensitive information within
RISK ASSESSMENT
your organization.
This will demonstrate management support and commitment to the Information Security
DEVELOP A
Management System process.
POLICY DOCUMENT
Put together a Statement of Applicability and Procedures to support your security policy.
DEVELOP
This will cover a range of areas including asset classification and control, personnel security,
SUPPORTING
physical and environmental security and business continuity management.
DOCUMENTS
The registrar is the 3rd party, like BSI, Inc. who comes and assesses the effectiveness of your
CHOOSE
Information Security Management System, and issue a certificate if it meets the
A REGISTRAR
requirements of the standard.
You should arrange your assessment with your registrar. At this point the registrar will
GAIN
review your Information Security Management System and determine whether you should
REGISTRATION
be recommended for registration.
There are 8 steps to achieving certification to
THE REGISTRATION
ISO 17799 with BSI, Inc.
PROCESS
Your registrar will periodically check your ISMS to ensure that it continues to meet the
CONTINUAL
requirements of the standard. Your certificate remains valid for three years. At the end of
ASSESSMENT
three years your certificate will be extended on condition of a positive reassessment.
G L O B A L M A N A G E M E N T S Y S T E M S
EXCELLENCE
I n f o r m a t i o n S e c u r i t y
I S O 1 7 7 9 9
BSI, Inc.
inquiry@bsiamericas.com
Systems
www.bsiamericas.com
BSIUSA19/MS/0202/E