Professional Documents
Culture Documents
BS7799 Part 1
• Outlined control objectives and a range of controls that can be used to
meet those objectives,
BS7799 Part 2
• Outlined how a security program can be set up and maintained. Also
served as a baseline that organizations could be certified against.
“The British seem to know what they are doing. Let’s follow them.”
Hence BS7799 became the de facto model to follow
Coverage areas
• Information security policy for the organization - Map of business
objectives to security, responsibilities etc
• Creation of information security infrastructure
• Asset classification and control
• Personnel security – Screening procedures, training, roles etc
• Physical and environmental security – implement access control,
security perimeter
• Communications and operations management – Change control,
incident handling, network management
• Access control – Authentication, user management, monitoring
• System development and maintenance - Implement security in all
phases of a system’s lifetime
• Business continuity management – Ensuring continuity of business
processes
• Compliance – industry regulations and standards
Expanding the BS7799
• Other confusing titles began to appear i.e. BS7799, BS7799v1, BS7799
v2, ISO 17799, BS7799-3:2005, etc.
• The industry has moved from the more ambiguous BS7799 standard to
a whole list of ISO/IEC standards that attempt to compartmentalize and
modularize the necessary components
• An ISO 27001 consultant can charge you upwards of $1500 per man
day.
Comparing CobiT and ISO 27000
• None of these frameworks are in competition with each other, in fact, it
is best if they are used together.
• ISO 27000 series outlines security controls, but does not focus on how
to integrate them into business processes
• COBIT focuses on controls and metrics, not as much on security
Further Reading
http://www.iso27001security.com/html/27002.html