Many people have heard of ISO9000, the International Standard for Quality Management but soon we will be hearing a lot more about ISO17799, the Information Security Management standard. It was first published in December 2000, and is based on the British Standard BS7799-1.
ISO17799 is not a standard that your organisation can be certified against - it contains a Code of Practice. It is not possible to be certified under a code of practice. However, BS7799-2 is a Specification which organisations can be certified under. Although ISO is also considering adopting BS7799 part 2 as an ISO standard it is understood that the process will take a minimum of five years.
Like ISO9000, preparing your organisation for BS7799-2 certification is a lot of work, what are the benefits? It will not guarantee that your organisation will have no security incidents, but it will make sure that you know about the incidents, that there is cost-effective prevention, that there is effective incident response, in short, that the risks are managed. In the future, BS7799 (or the equivalent ISO standard) may become a requirement for doing business - just like some organisations are demanding or preferring suppliers with an ISO9000 certificate now.
BS7799 certification is not for every organisation, SMEs in particular will find the requirement daunting, and the format Assessment costs prohibitive. However, the guidelines are well-worth following. Developers of security products naturally emphasise the problems their product addresses. Taking a structured approach to information security, where the controls really address the largest threats, not just the latest hype, is to be recommended.
Yui Kee can provide consultancy on Information Security Management and the standards.