My business is Franchises. Ratings. Success stories. Ideas. Work and education
About the site Contacts
Menu
Contacts
Site search

home Self-development All british standards bs 1842 pdf. Online publication about high technologies

All british standards bs 1842 pdf. Online publication about high technologies

Business continuity management (BCM) is a holistic management process that identifies potential threats to an organization and determines the possible impact on business operations if those threats materialize, and establishes the basis for ensuring the organization's ability to recover and respond effectively to incidents, thereby ensuring that its interests are served. key stakeholders, maintaining reputation, brand and value-added activities. DSA includes recovery and continuation management economic activity in the event of a business disruption, and managing the overall business continuity program through training, exercises and analysis to keep the business continuity plan(s) up to date.

BS 25999-1:2006, Business Continuity Management - Part 1: Rules of thumb»

BS 25999-1:2006 defines the process, principles and terminology for business continuity management, providing the basis for understanding, designing and implementing a business continuity system within an organization and providing confidence to customers and partners in its reliability. This standard describes a comprehensive set of control mechanisms and covers all life cycle business continuity management process. It has been developed by practitioners from across the global community, based on industry best practices, and is suitable for organizations of all types and sizes.

BS 25999-2:2007, "Business continuity management - Part 2: Specification"

While the first part of the standard (BS 25999-1:2006) contains general recommendations on business continuity management, the second part sets out the requirements for the business continuity management system, and only those whose compliance can be objectively verified. Using these requirements, companies can evaluate existing system business continuity management, both independently and involving external consultants. Based on the second part of the standard, certification bodies will issue a conclusion on the compliance of the business continuity management system with the requirements of the BS 25999 standard.

BS 25777:2008, "Managing the continuity of information and communications technology - Rules of practice"

The British standard BS 25777 was developed from existing business continuity standards BS 25999 and the complementary public specification PAS 77, which summarizes the best world practice in the field of ensuring continuity of IT services.

ICT continuity management ensures the necessary viability of information and communication technologies and services and the ability to restore them to a predetermined level within the required time frame, agreed with the management of the organization. Effective business continuity management depends on ICT continuity management to ensure that the organization is always able to achieve its objectives, especially in times of disruption.

BS 25777 covers issues such as:

  • Control software ICT continuity
  • Embedding ICT continuity management principles into the organization's culture
  • Documenting the ICT Continuity Management System
  • Defining ICT continuity requirements
  • Development and implementation of an ICT continuity strategy
  • Developing and testing ICT continuity plans
  • Conducting exercises to restore ICT services
  • Maintenance, analysis and improvement of the ICT continuity management system
  • and etc.

PAS 77:2006, "Managing IT service continuity"

The IT Service Continuity Management Guide explains the principles and some recommended practices for IT Service Continuity Management. It is intended for use by people responsible for implementing, delivering and managing the continuity of IT services in an organization.

This guidance is intended to complement (not replace) other publications on the subject, such as PAS 56, BS ISO/IEC 20000, BS ISO/IEC 17799:2005 and ISO 9001. It should not be regarded as step-by-step implementation instructions IT service continuity management processes, but rather as a guide to some of the aspects of ITSCM that organizations should consider when investing in this area.

One of the first international standards for information security management - the British standard BS 7799 - has long gone beyond national boundaries. Its first part, BS 7799-1 “Practical Rules for Information Security Management”, was developed in 1995 by order of the British Government by the British Standards Institution ( BritishStandardsInstitution (BSI) starring commercial organizations, such as Shell, NationalWestminsterBank, MidlandBank, Unilever, BritishTelecommunications, Marks & Spencer, Logica and etc.

As the names suggest, this document is practical guide on information security management in an organization, regardless of the profile of its practical activities. It describes 10 areas and 127 control mechanisms required to build an information security management system, defined on the basis best examples from world practice.

In accordance with this standard, any security service IT– the department and company management must begin to work in accordance with the general regulations. Doesn't matter, we're talking about on the protection of paper documents or electronic data.

In 1998, the second part of this British standard appeared - BS7799-2 “Information security management systems. Specification and Application Guide", which defined the general model for building an information security management system and a set of mandatory requirements, for compliance with which certification must be carried out. With the advent of the second part of BS 7799, which defined what an information security management system should be, the active development of a certification system in the field of security management began. In 1999, both parts of BS7799 were revised and harmonized with international management system standards ISO 9001 and ISO 14001 a year later. The ISO technical committee accepted BS 7799-1 without changes as international standard ISO/IEC 17799:2000.

The second part of BS 7799 was revised in 2002, and at the end of 2005 it was adopted by ISO as the international standard ISO/IEC 27001:2005 " Information Technology- Security methods - Information security management systems - Requirements." At the same time, the first part of the standard was updated. With the release of ISO 27001, information security management system specifications have become international status, and we should now expect a significant increase in the role and prestige of ISO 27001 certified information security management systems.

The 2700x family of international security management standards continues to evolve rapidly. According to ISO plans, it will include:

Standards defining requirements for an information security management system;

Risk management system;

Metrics and measurements of the effectiveness of control mechanisms;

Implementation Guide. This family of standards will use a sequential numbering scheme from 27000 onwards. ISO/IEC 17799:2005 will subsequently be renamed ISO/IEC 27002.

At the beginning of 2006, a new British national standard in the field of information security risk management, BS 7799-3, was adopted, which later received the index 27005.

Currently British Standard B.S. 7799 supported in 27 countries of the world, including the countries of the British Commonwealth, as well as Sweden, the Netherlands, and Russia.

However, it should be noted the original content of the standard B.S. 7799, which is still used in a number of countries.

It consists of two parts.

The following aspects of information security are defined and considered:

    Security policy.

    Organization of protection.

    Classification and management of information resources.

    Personnel Management.

    Physical security.

    Administration computer systems and networks.

    System access control.

    Development and maintenance of systems.

    Planning the smooth operation of the organization.

    Checking the system for compliance with information security requirements.

"Part 2: System Specifications" (1998)

Aspects listed in “ Part 1” are considered in this part from the point of view of certification of an information system for compliance with the requirements of the standard.

Possible functional specifications are defined here corporate systems information security management from the point of view of their verification for compliance with the requirements of the first part of this standard. In accordance with the provisions of this standard also the procedure for auditing informationcorporate systems.

Additional guidance for managing information security is provided by the British Standards Institution guidelines - BritishStandardsInstitution(BSI) http:// www. bsi- global. com/, published during the period 1995-2003 g.g. as the following series:

    Introduction to Information Security Management – Informationsecuritymanagement: anintroduction.

    Possibility of certification to the requirements of the standard B.S. 7799 - PreparingforB.S. 7799 certification.

    Management BS 7799 on risk assessment and management - Guide to BS 7799 risk assessment and riskmanagement

    Are you ready for an audit to meet the standard requirements? B.S. 7799- AreyoureadyforaB.S. 7799 audit?

    Guidance for conducting an audit against the requirements of the standard - B.S. 7799 GuidetoB.S. 7799 auditing.

Today, general issues of information security management of companies and organizations, as well as the development of security audits to meet the requirements of the standard B.S. 7799 handled by the international committee JointTechnicalCommitteeISO/ IECJTC 1 jointly with the British Standards Institute - BritishStandardsInstitution(BSI) – (www. bsi- global. com), and in particular the service UKAS (UnitedkingdomAccreditedService). The named service accredits organizations for the right to audit information security in accordance with the standard B.S.ISO/ IEC 7799:2000 (B.S. 7799-1:2000) . Certificates issued by these bodies are recognized in many countries. Please note that if a company is certified according to standards ISO 9001 or ISO 9002 standard B.S.ISO/ IEC 7799:2000 (B.S. 7799-1:2000) allows combined system certification information security with certification for compliance with standards ISO 9001 or ISO/9002 both at the initial stage and during control checks. To do this, it is necessary to fulfill the condition of participation in the combined certification of a registered auditor according to the standard B.S.ISO/ IEC 7799:2000 (B.S. 7799-1:2000). At the same time, joint testing plans should clearly indicate procedures for verifying information security systems, and certifying authorities should ensure that information security verification is thorough.

One of the first international standards for information security management - the British standard BS 7799 - has long gone beyond national boundaries. Its first part, BS 7799-1 “Practical Rules for Information Security Management”, was developed in 1995 by order of the British Government by the British Standards Institution ( BritishStandardsInstitution (BSI) with the participation of commercial organizations such as Shell, NationalWestminsterBank, MidlandBank, Unilever, BritishTelecommunications, Marks & Spencer, Logica and etc.

As the names suggest, this document is a practical guide to managing information security in an organization, regardless of the profile of its practical activities. It describes 10 areas and 127 controls required to build an information security management system, identified based on best practices from around the world.

In accordance with this standard, any security service IT– the department and company management must begin to work in accordance with the general regulations. It doesn’t matter whether we are talking about protecting paper documents or electronic data.

In 1998, the second part of this British standard appeared - BS7799-2 “Information security management systems. Specification and Application Guide,” which defined the general model for constructing an information security management system and a set of mandatory requirements for compliance with which certification must be carried out. With the advent of the second part of BS 7799, which defined what an information security management system should be, the active development of a certification system in the field of security management began. In 1999, both parts of BS7799 were revised and harmonized with international management system standards ISO 9001 and ISO 14001 a year later. The ISO technical committee adopted BS 7799-1 without changes as the international standard ISO/IEC 17799:2000.

The second part of BS 7799 was revised in 2002, and at the end of 2005 it was adopted by ISO as the international standard ISO/IEC 27001:2005 "Information technology - Security techniques - Information security management systems - Requirements." At the same time, the first part of the standard was updated. With the release of ISO 27001, information security management system specifications have acquired international status, and we can now expect a significant increase in the role and prestige of information security management systems certified to the ISO 27001 standard.

The 2700x family of international security management standards continues to evolve rapidly. According to ISO plans, it will include:

Standards defining requirements for an information security management system;

Risk management system;

Metrics and measurements of the effectiveness of control mechanisms;

Implementation Guide. This family of standards will use a sequential numbering scheme from 27000 onwards. ISO/IEC 17799:2005 will subsequently be renamed ISO/IEC 27002.

At the beginning of 2006, a new British national standard in the field of information security risk management, BS 7799-3, was adopted, which later received the index 27005.

Currently British Standard B.S. 7799 supported in 27 countries of the world, including the countries of the British Commonwealth, as well as Sweden, the Netherlands, and Russia.

However, it should be noted the original content of the standard B.S. 7799, which is still used in a number of countries.

It consists of two parts.

The following aspects of information security are defined and considered:

    Security policy.

    Organization of protection.

    Classification and management of information resources.

    Personnel Management.

    Physical security.

    Administration of computer systems and networks.

    System access control.

    Development and maintenance of systems.

    Planning the smooth operation of the organization.

    Checking the system for compliance with information security requirements.

"Part 2: System Specifications" (1998)

Aspects listed in “ Part 1” are considered in this part from the point of view of certification of an information system for compliance with the requirements of the standard.

Here, possible functional specifications of corporate information security management systems will be defined from the point of view of

in terms of checking them for compliance with the requirements of the first part of this standard. In accordance with the provisions of this standard also the procedure for auditing informationcorporate systems.

Additional guidance for managing information security is provided by the British Standards Institution guidelines - BritishStandardsInstitution(BSI) http:// www. bsi- global. com/, published during the period 1995-2003 g.g. as the following series:

    Introduction to Information Security Management – Informationsecuritymanagement: anintroduction.

    Possibility of certification to the requirements of the standard B.S. 7799 - PreparingforB.S. 7799 certification.

    Management BS 7799 on risk assessment and management - Guide to BS 7799 risk assessment and riskmanagement

    Are you ready for an audit to meet the standard requirements? B.S. 7799- AreyoureadyforaB.S. 7799 audit?

    Guidance for conducting an audit against the requirements of the standard - B.S. 7799 GuidetoB.S. 7799 auditing.

Today, general issues of information security management of companies and organizations, as well as the development of security audits to meet the requirements of the standard B.S. 7799 handled by the international committee JointTechnicalCommitteeISO/ IECJTC 1 jointly with the British Standards Institute - BritishStandardsInstitution(BSI) – (www. bsi- global. com), and in particular the service UKAS (UnitedkingdomAccreditedService). The named service accredits organizations for the right to audit information security in accordance with the standard B.S.ISO/ IEC 7799:2000 (B.S. 7799-1:2000) . Certificates issued by these bodies are recognized in many countries. Please note that if a company is certified according to standards ISO 9001 or ISO 9002 standard B.S.ISO/ IEC 7799:2000 (B.S. 7799-1:2000) allows combining information security system certification with certification for compliance with standards ISO 9001 or ISO/9002 both at the initial stage and during control checks. To do this, it is necessary to fulfill the condition of participation in the combined certification of a registered auditor according to the standard B.S.ISO/ IEC 7799:2000 (B.S. 7799-1:2000). At the same time, joint testing plans should clearly indicate procedures for verifying information security systems, and certifying authorities should ensure that information security verification is thorough.

The progenitor of international information security management standards, the British BS 7799, has long gone beyond national boundaries. Its first part, BS 7799-1, was developed in 1995 by order of the UK government. At the beginning of 2006, the British introduced a new standard in the field of information security risk management - BS 7799-3, which will later receive the index 27005.

There are many areas of management: production, finance, sales, purchasing, personnel, etc. Thanks to the development of modern high-tech business, the importance of such areas as information technology, information security, quality and environment. This is evidenced by the growing popularity throughout the world of the corresponding international standards of the ISO 2700x, ISO 2000x, ISO 900x and ISO 1400x series. The basic principles of management are, by and large, the same for all areas, so the corresponding management systems complement each other, forming an integrated management system of the organization (IMS). It is difficult to overestimate the contribution of the British Standards Institute (BSI) to the development of international standards for organization management, including integrated management systems, which are the subject of the BSIBIP 2000 series of publications.

Following the widespread dissemination of ISO 9001 and quality management systems, international information security management standards - ISO/IEC 27001/17799 - have finally begun to take root in Russia. They have become available in Russian, a public discussion has begun on draft relevant national information security standards GOST R ISO/IEC 27001 and GOST R ISO/IEC 17799, and certification services are gradually becoming more widespread.

The progenitor of international standards for information security management is the British standard BS 7799. Its first part, BS 7799-1 “Practical rules for information security management,” was developed by BSI in 1995 at the request of the UK government. As the title suggests, this document is a practical guide to managing information security in an organization. It describes 10 areas and 127 controls required to build an ISMS, identified based on best practices from around the world. In 1998, the second part of this British standard appeared - BS 7799-2 “Information security management systems. Specification and Application Guide,” which defined the general model for constructing an ISMS and a set of mandatory requirements for compliance with which certification must be carried out. With the advent of the second part of BS 7799, which defined what an ISMS should be, the active development of a certification system in the field of safety management began. In 1999, both parts of BS 7799 were revised and harmonized with the international management systems standards ISO 9001 and ISO 14001, and a year later the ISO technical committee adopted BS 7799-1 without change as the International Standard ISO/IEC 17799:2000.

The second part of BS 7799 was revised in 2002, and at the end of 2005 it was adopted by ISO as the International Standard ISO/IEC 27001:2005 Information technology - Security techniques - Information security management systems - Requirements. At the same time, the first part of the standard was updated. With the release of ISO 27001, ISMS specifications have gained international status, and we can now expect a significant increase in the role and prestige of ISO 27001 certified ISMSs.

The 2700x family of international security management standards continues to evolve rapidly. According to ISO plans, it will include standards defining requirements for an ISMS, a risk management system, metrics and measurement of the effectiveness of controls, as well as implementation guidance. This family of standards will use a sequential numbering scheme from 27000 onwards. ISO/IEC 17799:2005 will subsequently be renamed ISO/IEC 27002. A draft ISO/IEC 27000 standard is also in development, which will contain basic principles and definitions and will be unified with the popular IT management standards: COBIT and ITIL.

At the beginning of 2006, a new British national standard in the field of information security risk management, BS 7799-3, was adopted, which will subsequently receive the index 27005. Work is also underway on standards for implementing and measuring the effectiveness of an ISMS, which will receive indexes 27003 and 27004, respectively. Issue of these international standards is planned for 2007.

History of BS 7799

According to the ISMS user group that maintains the international registry of certificates, as of August 2006, there were more than 2,800 organizations from 66 countries certified to ISO 27001 (BS 7799), including four Russian companies. Among the certified organizations are the largest IT companies, banking and financial sector, enterprises in the fuel and energy sector and the telecommunications sector. It is expected that the number of certificate holders in Russia in 2007 will reach several dozen.

7799/17799/27001: pros and cons

BS 7799 has gradually become the "principal information security standard". However, when ISO discussed the first edition of the international standard ISO 17799 in August 2000, consensus was difficult to achieve. The document caused a lot of criticism from representatives of leading IT powers, who argued that it did not meet the basic criteria for international standards.

“There was no way to compare this document with all the other safety work ever reviewed by ISO,” says Gene Troy, the US representative on the ISO technical committee.

Several countries, including the USA, Canada, France and Germany, opposed the adoption of ISO 17799. In their opinion, this document is good as a set of recommendations, but not as a standard. In the USA and European countries, before 2000, a huge amount of work had already been done to standardize information security. “There are several different approaches to IT security. We believed that in order to get a truly acceptable international standard, all of them should be accepted for consideration, rather than taking one of the documents and hastily agreeing on it. Troy tells Gene, “The Master Safety Standard was presented as a fait accompli, and there was simply no way to build on other work done in this area.”

BSI representatives countered that the work in question dealt primarily with technical aspects and BS 7799 was never considered a technical standard. Unlike other security standards, such as Commonly Accepted Security Practices and Regulations (CASPR) or ISO 15408/Common Criteria, it defines the basic non-technical aspects of protecting information presented in any form. “It should be like this because it is intended for all types of organizations and external environments,” says BSI spokesman Steve Tyler. “It is an information security management document, not a catalog of IT products.”

Despite all the objections, the authority of the BSI (which is the founder of ISO, the main developer of international standards and the main certification body in the world) prevailed. An accelerated approval procedure was launched and the standard was soon adopted.

The main advantage of ISO 17799 is its flexibility and versatility. The set of best practices described in it is applicable to almost any organization, regardless of ownership, type of activity, size and external conditions. It is technologically neutral and always leaves the option of choosing technologies.

When questions arise: “Where to start?”, “How to manage information security?”, “What criteria should be audited against?” — this standard will help determine the right direction and not lose sight of important points. It can also be used as an authoritative source and one of the tools for “selling” security to the management of the organization, defining criteria and justifying the costs of information security.

However, flexibility and versatility are also the Achilles heel of this standard. Critics say ISO 17799 is too abstract and loosely structured to be of real value. Insufficiently thorough use of it can give a false sense of security.

ISO 17799 describes measures to ensure safety in general view, but says nothing about the technical aspects of their implementation. For example, the standard recommends the use of access control mechanisms and defines specific technologies such as USB keys, smart cards, certificates, etc. However, he does not consider the advantages and disadvantages of these technologies, features and methods of their application.

Alexander Astakhov

The British Standards Institute (BSI), with the participation of commercial organizations such as Shell, National Westminster Bank, Midland Bank, Unilever, British Telecommunications, Marks & Spencer, Logica, etc., developed an information security standard, which was adopted as a national standard in 1995 standard BS 7799 managing the information security of an organization, regardless of the company’s field of activity.

In accordance with this standard, any security service, IT department, or company management must begin to work in accordance with general regulations. It doesn’t matter whether we are talking about protecting paper documents or electronic data. Currently, the British Standard BS 7799 is supported in 27 countries, including the British Commonwealth countries, as well as Sweden and the Netherlands. In 2000 international institute ISO standards based on the British BS 7799 developed and released the international safety management standard ISO / IEC 17799. Today it can be argued that BS 7799 and ISO 17799 are the same standard, which today has worldwide recognition and the status of an international ISO standard.

However, it should be noted that the original content of the BS 7799 standard, which is still used in a number of countries. It consists of two parts.

· Security policy.

· Organization of protection.

· Classification and management of information resources.

· Personnel Management.

· Physical security.

· Administration of computer systems and networks.

· Control access to systems.

· Development and maintenance of systems.

· Planning the smooth operation of the organization.

· Checking the system for compliance with information security requirements.

"Part 2: System Specifications"(1998) considers these same aspects from a certification perspective information system for compliance with the requirements of the standard.

It defines possible functional specifications of corporate information security management systems from the point of view of their verification for compliance with the requirements of the first part of this standard. In accordance with the provisions of this standard, the procedure for auditing corporate information systems is also regulated.

Additional recommendations for information security management are provided by the British Standards Institution (BSI) guidelines http://www.bsi-giobal.com/, published between 1995-2003 in the following series:

· Introduction to the problem of information security management – ​​Information security managment: an introduction.


· Opportunities for certification to the requirements of the BS 7799 standard -Preparing for BS 7799 certification.

· Guide to BS 7799 risk assessment and risk management.

· Are you ready for a BS 7799 audit?

· Guide to BS 7799 auditing.

Today, the international committee Joint Technical Committee ISO/IEC JTC 1 together with the British Standards Institution (BSI) - (www.bsi-global .com), and in particular the UKAS (United Kingdom Accredited Service). This service accredits organizations for the right to audit information security in accordance with the BS ISO/IEC 7799:2000 standard (BS 7799-1:2000). Certificates issued by these bodies are recognized in many countries.

Please note that if a company is certified according to ISO standards 9001 or ISO 9002 standard BS ISO/IEC 7799:2000 (BS 7799-1:2000) allows information security certification to be combined with certification to ISO 9001 or 9002 standards, both at the initial stage and during verification checks. To do this, you must meet the condition of participation in the combined certification of a registered auditor according to BS ISO/IEC 7799:2000 (BS 7799-1:2000). At the same time, joint testing plans should clearly indicate procedures for verifying information security systems, and certifying authorities should ensure that information security verification is thorough.

avtovsamare.ru - My business - Franchises. Ratings. Success stories. Ideas. Work and education

Certificate of registration of mass media EL No. FS 77 - 57771 dated 04/18/2014.
Copyright © 2006-2017. All materials are protected by copyright
The media outlet "BusinessGarant" is registered by the Federal Service for Supervision of Communications, Information Technologies and Mass Communications