Organizations often pursue and obtain a BS 7799 certification due to customer expectations, pressures from competition and/or the desire to establish best practices per industry standards. More often than not, such an effort turns out to be a high-profile project. It is not uncommon, after the certification is obtained, that information security does not receive as much attention as it did earlier. In these cases, doing the minimum to maintain BS 7799 certification may become the only objective of continuing efforts. However, some organizations continue to stress information security and adopt effective continuous improvements; these organizations often reach new and further heights. This article explains what can be done to take information security beyond a BS 7799 certification into part of an effective strategy.
What Does BS 7799 Certification Signify?
A BS 7799 certification signifies that:
- The organization has established a significant baseline on its information security systems in line with business priorities and per a formal risk assessment
- Controls have been clearly identified from the BS 7799 standard and have been rigorously implemented inside the organization
- A continuous improvement process has been set up for information security in the organization
It also demonstrates that the organization and its top management have included information security on management's agenda and that information security and associated priorities and actions are integrated with the working of the organization at all levels.
Efforts After a BS 7799 Certification
Some important things to consider after obtaining BS 7799 certification are:
- The standard evolves. The version of the standard against which organizations had their information security management systems (ISMSs) certified was, until recently, BS 7799-2: 2002. The 2002 standard has been revised, and ISO 27001 is the current standard. BS 7799-2: 2002 has been withdrawn. Organizations that have adopted BS 7799 have to implement further controls and update their ISMSs in line with ISO 27001 within a set transition period.
- Information security governance is a critical part of an organization's overall enterprise governance. The board and executive management are to ensure that there is an effective program of activities that provide continued and adequate assurance.
As a result of these considerations, it is a necessity to vigorously continue the information security journey. Information security managers can consider and act on each of the aspects of information security governance (see figure 1), including:
- Perform active monitoring:
- Track compliance to the various controls through internal audits and various other methods for prompt corrective and preventive actions.
- Establish appropriate compliance monitoring systems.
- Track applicable laws and regulations and their impact on the security system.
- Track emerging threats and their impacts, and proactively support contingency planning.
- Track changes that affect the information security posture for appropriate actions.
- Establish appropriate reporting systems to support monitoring.
- Continue to build defenses with greater efficiency:
- Work to establish a security-conscious culture in the organization. Increasing the security awareness of employees, temporary staff and external parties needs to be done with great vigor. This is positive security, and the return on the effort usually proves to be quite encouraging. An effective security-conscious culture happens only through sustained efforts and is an important initiative that needs to be continued even after certification.
- Take specific actions to result in greater involvement of process owners. Consider techniques such as a control selfassessment1 for compliance efforts. A control selfassessment can be a useful method of tracking compliance of controls and for creating a culture of compliance in the organization.
- Perform regular and systematic testing:
- As vulnerabilities, threats, risks and incidents are increasing on a global scale, enhance the organization's preparedness and actions by carrying out periodic vulnerability assessments and penetration testing. Choose tests that are more in-depth than those attempted previously, wherever requirements justify.
- Update policies and systems based on monitoring and revisions:
- Conduct risk assessment periodically and upon certain events, such as changes in the applicable laws and regulation. Use the results to update security policies, business impact analyses, business continuity plans, policies and procedures, and ISMSs. The updates should identify additional controls as well as unnecessary controls. The overall objective of a good risk assessment is to ensure that the risk treatment is cost-effective as well. New situations may not justify all the earlier controls or may require new controls, and these need to be updated.
- Review security architecture at an appropriate frequency, and update the technical implementations. Also, look for opportunities to implement controls more effectively and efficiently.
- Manage security with a difference:
- Continue to ensure that the entire security management program is effective, coordinated and on track per the standards. When pursuing the certification, it might have been possible to muster support from across the organization, as the certification would have been among everyone's top priorities. Mustering the same level of support afterward can be more difficult in most organizations. Information security management should establish the method and means by which ongoing maintenance of the entire security management system can be done with ease.
- Establish measures for compliance, track and report to the key stakeholders, and engage them in the entire process.
- Look for opportunities to evaluate and enhance the security management systems for suppliers and outsourced service providers and strengthen performance of the interfaces and parties on whom the organization depends for its operations. If the organization is large and security performance of its suppliers and partners is crucial, enhancing their security performance could prove very beneficial.
- Enhance outsourcing service level agreements in line with emerging requirements, establish better levels of security compliance of partners, and strengthen the security performance of interfaces.
- Cover new ground for ISMSs by covering departments and locations not included in the earlier certification. This, of course, needs to be done in line with requirements of the organization. Even if they are not part of the scope of BS 7799, consider the advantages of adopting better practices and take up an appropriate strategy.
- Establish the measures for performance of the security initiative, work out its benefits and demonstrate its value. Use techniques such as a balanced scorecard2 for this purpose, and enable greater alignment of information security with business objectives.
- As ISMSs do not work totally independently of other management systems, enhance their integration with other such systems to enable the optimization of controls, procedures and practices. The organization may also be pursuing other standards/frameworks, such as BS 15000 and Control Objectives for Information and related Technology (COBIT), based on various business needs. Here again, there would be benefits of suitable integration and optimization.
- Automate controls compliance for performance tracking, and set up dashboards to top management. Engage them in the entire process by means of an automated process.
Figure 2 shows the information security maturity model and represents various organizations based on Gartner's research. The objective of BS 7799-certified organizations is to reach the operations excellence stage and remain in that stage with ease.
Information security should find ways and opportunities to add business value, enhance the ready acceptance and compliance of controls and information security, and proactively integrate with business effectively and persuasively. Establishing measures and reporting on the performance of information security should be among the steps in enabling an organization to move up the information security maturity levels and reside in the operations excellence phase with ease, with BS 7799 certification and its maintenance as the solid foundation.
1 Bakshi, Sunil; "Control Self-assessment for Information and Related Technology," Information Systems Control Journal, vol. 1, 2004, p. 55-62, www.isaca.org/journal
2 Sethuraman, Sekar; "Use Balanced Scorecard to Enhance Information Security Health," eIssa Times, April 2005, www.eissa.org/april2005.htm#12
Sekar Sethuraman, CISA, CIA, CISSP, CSQA
is an advisor of secure converged networking at Ramco Systems in India. He is extensively involved in information security consulting and network operations center services. He is a BS 7799 implementor and lead auditor, and he has more than 20 years of experience in large organizations as head of IT and information security, CIO, and CTO. He has been responsible for offshore IT services and large IT implementations, and he has implemented information security systems for large organizations to fulfill the requirements of international standards such as BS 7799. His professional affiliations include ISACA, the Information Systems Security Association (ISSA), the Institute of Internal Auditors (IIA) and the Computer Society of India. He is a frequent speaker and author on various security topics, and he can be reached at email@example.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.