ISMS (BS 7799-1)
Information Security Management System
ISO/IEC 17799
ISO/IEC 27001
ISO/IEC 27001
Both of these standards specify the requirements for an Information Security Management System and are based on the British Standard BS 7799, which is made up of two parts:
- guidelines for information security
- specifications for information security systems
BS 7799-1 was a standard issued in 1995 to provide a control on information security in large, medium and small organizations including government administration. The 1999 revision took account of the latest developments in the use of information processing technology, especially in the area of networks and communications. It also places greater emphasis on integrating an enterprise into information security and on accountability for information security.
The standard can be used as a basis from which, for example, it is possible to derive company policy or inter-company business agreements. It should not be quoted as a specification and special care should be taken to ensure that the requirements for compliance with its provisions are not incorrect. It is expected that the enforcement of its provisions are entrusted to suitably qualified and experienced persons.
Reasons for implementing an information security management system:
- information security
- streamlining information flows in a company
- personal data protection (Act No. 101/2000 Coll.)
- profit organizations (companies) – reliable information security is closely tied to the organization’s existence and always leads to a better market position
- criminal liability under Section 178 of the Criminal Code (unauthorized handling of personal data)
- public administration organizations – they proceed pursuant to the implementation requirements of the ISVS (Information System of Public Administration) according to Act No. 365/2000 Coll. or 517/2002 Coll.
- the increasing amount of information processed, the automation of its processing and the influence of other laws and decrees.
During these activities, it is essential to ensure:
- information is readily available
- unwanted modification of information is avoided
- misuse of information is prevented
- loss of information is prevented
Implementing the system?
- defining the information security policy
- identifying, evaluating and classifying information assets
- determining the level of security
- determining the scope of applicability
- determining the manner in which information risks are managed
- implementing the system
- certification by an independent accredited company
Information security policy:
- the company management’s commitment to protect information and the manner in which it is processed
- the main principles of working with information and how it is secured
- the consequences of violating the information policy