Information Security Management Standard: BS7799 Framework

Do you need this or any other assignment done for you from scratch?
We have qualified writers to help you.
We assure you a quality paper that is 100% free from plagiarism and AI.
You can choose either format of your choice ( Apa, Mla, Havard, Chicago, or any other)

NB: We do not resell your papers. Upon ordering, we do an original paper exclusively for you.

NB: All your data is kept safe from the public.

Click Here To Order Now!

Structure of BS7799 Framework

BS 7799 is an Information Security Management Standard, the creation of which started in the 1990s.

The first part of BS 7799 (that has been adopted as ISO/IEC 17799) is named the “Code of Practice for Information Security Management” and consists of 10 headings that include 127 security controls, which are further detailed (Gamma Secure Systems, 2001). The implementation of each control is not necessary for every firm, but their number ensures the possibility of customizing the guidelines for a particular business. The second part of BS 7799 that appeared in 1998 is called the “Specification for Information Security Management Systems” and is meant for the assessment and registration of firms (BSI, 2002, para. 6).

Following 1998, the standard continued to develop. The new BS7799-3 is a framework that is consistent with ISO 27001 (BS7799 and ISO 17799 Awareness, n.d., para. 3). The latter standard has been characterized as an “internationally recognized best practice framework for an information security management system” (BSI, 2015, para. 2). Therefore, while still carrying the name of the standard created in the past century, BS7799 is adapting to the changing environment.

The BS7799 framework is aimed at improving the security of information through several controls (Trinity Security Services, 2004, para. 4). The ten primary control areas include “security policy, security organization, asset control and classification, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management, and compliance” (Trinity Security Services, 2004, para. 5; Gamma Secure Systems, 2001, para. 4-8, Theobald, 2005, p. 6). To sum up, BS 7799 is aimed at providing security for all the assets of an organization in compliance with the specifically created security policy and through specifically created systems and procedures. The protection is directed against external and internal threats (see personnel and environmental security) and is required for the possibility of uninterrupted business conduct. Finally, BS 7799 is concerned with regulation and law compliance. As a result, BS 7799 provides a framework for defining, managing, and minimizing a wide scope of the external and internal risks that typically threaten information with the intent of covering all the possible threats (BSI, 2002, para. 6-7).

The structure of BS7799, based on Theobald
Figure 1. The structure of BS7799, based on Theobald (2005).

In consistency with its aims, the key elements of BS 7799 include information policy, standards, procedures, and records (see Fig. 1). Obviously, the first three elements are customised; the last one is of particular importance for the process of reviewing the effectiveness of a system. The latter is a crucial part of the BS7799 implementation methodology (Theobald, 2005, p. 9).

Implementation Methodology

The second part of BS7799 defines the methodology for the implementation of the framework. The methodology can be boiled down to the four-step guideline that is characterised by the Plan, Do, Review, Act (PDRA) framework. Every step is supposed to direct people, exploit systems, and define the processes to ensure the consistency of the company’s actions (Trinity Security Services, 2004, para. 3-4).

The methodology of BS7799 implementation
Figure 2. The methodology of BS7799 implementation (Trinity Security Services, 2004).

The idea of PDRA was not created exclusively for BS7799, but it is used to implement the standard (see Fig. 2). As can be seen from the figure, the key aims of the first part of the methodology include the processes of defining the policy, objectives, and selecting the standards that are two key elements of the BS7799 system (see Fig. 1). Procedures, the third element, are also planned during the first stage and implemented during the second one. As for the records that are the fourth element of BS7799, they are used during the Review stage of the implementation process. The Acting stage includes the actions aimed at correcting the procedures or objectives in consistency with the information concerning the effectiveness of the current ones (Trinity Security Services, 2004, para. 3-8; Theobald, 2005, p. 7). This stage serves to “encircle” the methodology, ensuring its repetitiveness and adaptiveness.

Advantages and Disadvantages

According to BSI (2002) and BSI (2015), the primary advantages of BS 7799 include:

  • A consistent security policy: the first element of BS 7799.
  • Adaptiveness: reviewing the work of the security is embedded into the implementation framework (see Fig. 2).
  • Increased security and protection through the identification of risks and placement of appropriate controls.
  • Customization possibilities.
  • Security education.
  • The usage of internationally recognized standards results in improved credibility: customers realize that their information is safe.
  • Saving costs: reduced number of threats means a reduced number of breakdowns and attacks. As a result, less money is spent on the process of fixing the problems.
  • Compliance with new regulations and the law.

Possible disadvantages include the following points.

  • Possibly outdated: while being revised, the standard is still based on the framework that was developed in the 90s.
  • Customization difficulties.
  • Practical problems that are difficult to predict in theory (Qi, Qingling, Wei & Jine, 2012, p. 355).

The two final disadvantages can be explained by the fact that BS 7799 is a framework that is expected to be general. The number of controls of the first part demonstrates the fact that the framework must have predicted most difficulties. The rest of the problems are expected to be solved by local risk management.

References

BS7799 and ISO 17799 Awareness. (n.d.). Web.

BSI. (2002). Information security. Web.

BSI. (2015). Web.

Gamma Secure Systems. (2001). BS7799 How it Works? Web.

Theobald, J. (2005). Web.

Trinity Security Services. (2004). Is BS7799 For You? Web.

Do you need this or any other assignment done for you from scratch?
We have qualified writers to help you.
We assure you a quality paper that is 100% free from plagiarism and AI.
You can choose either format of your choice ( Apa, Mla, Havard, Chicago, or any other)

NB: We do not resell your papers. Upon ordering, we do an original paper exclusively for you.

NB: All your data is kept safe from the public.

Click Here To Order Now!