BS 7799
The British Standard BS 7799 from 1995 has the official designation"Code of Practice for Information Security Management" and forms the basis for auditing the security ofIT systems.
The British Standard forms an internationally recognized standard for assessing the security of IT environments. This standard has given rise to the international standard ISO 17799, which serves as a reference document for the creation of an information security management system( ISMS). The goal of this standard is to introduce a process approach that can be used to develop, implement, monitor and improve an organization-specific information security management system (ISMS).
In BS 7799 certifications, the entire IT system is put to the test and examined for existing risk potential; and not individual applications, subsystems or files. The focus is on protecting sensitive data and important business processes.
Important aspects of the standard are the definition, specification and implementation of an information security management system, the development of organization-specific standards and practices with regard to information security, and the monitoring of compliance with information security agreements. The standard consists of ten chapters, which form the basis for practical application:
- Security Policy,
- Security Organization,
- Asset Classification and Control,
- Personal Security,
- Physical and Environmental Security,
- Computer and Network Management,
- System Access Control,
- System Development and Maintenance,
- Business Continuity and Disaster Recovery Planning,
- Compliance.
ISO 17799, which describes the management of information security, creates the conditions for the certification of an ISMS system. The BS 7799 standard consists of two parts:
Part 1: Guidance for managing information security,
Part 2 of 1999: Specification for information security management systems.
In 2002, the second part was adapted to international management standards and the OECD guidelines. This enables companies to establish a security process that systematically improves the security value at a level to be defined.
The ISO 2700x set of rules issued by ISO in the fall of 2005 incorporates the aspects of BS 7799 in ISO 27001 and replaces it.