SIST BS 7799-2:2003

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Sistemi za upravljanje varovanja informacij – Specifikacija z napotki za uporaboInformation security management -
Specification with guidance
for use35.040Nabori znakov in kodiranje informacijCharacter sets and information coding35.020Informacijska tehnika in tehnologija na splošnoInformation technology (IT) in generalICS:Ta slovenski standard je istoveten z:SIST BS 7799-2:2003en01-september-2003SIST BS 7799-2:2003SLOVENSKI
STANDARD



SIST BS 7799-2:2003



BRITISH STANDARDBS 7799-2:2002Information security management systems—Specification with guidance for useICS 03.100.01; 35.020SIST BS 7799-2:2003



BS 7799-2:2002This British Standard, having been prepared under the direction of the DISC Board, was published under the authority of the Standards Policy and Strategy Committee and comes into effect on5September2002© BSI 5 September2002First published as Part 2 February 1998Revised May 1999The following BSI references relate to the work on this BritishStandard:Committee reference BDD/2Draft for comment 01/682010 DCISBN 0 580 40250 9Committees responsible for this BritishStandardThe preparation of this British Standard was entrusted to BSI-DISC Committee BDD/2, Information security management, upon which the followingbodies were represented:@stakeArticsoft LtdAssociation of British InsurersBritish Computer SocietyBritish Telecommunications plcBritish Security Industry AssociationDepartment of Transport and Industry — Information Security Policy GroupEDS LtdExperianGamma Secure Systems LimitedGlaxoSmithKline plcHMG Protective Security AuthorityHSBCI-Sec LtdInstitute of Chartered Accountants in England and WalesInstitute of Internal Auditors — UK and IrelandKPMG plcLloyds TSBLogica UK LtdLondon Clearing HouseMarks & Spencer plcNational Westminster GroupNationwide Building SocietyQinetiQ LtdShell UKUnileverWm. List & CoXiSEC Consultants Ltd/AEXIS Security ConsultantsAmendments issued since publicationAmd. No.DateCommentsSIST BS 7799-2:2003



BS 7799-2:2002© BSI 5 September 2002iContentsPageCommittees responsibleInside front coverForewordii0Introduction11Scope32Normative references33Terms and definitions34Information security management system55Management responsibility86Management review of the ISMS97ISMS improvement10Annex A (normative) Control objectives and controls11Annex B (informative) Guidance on use of the standard22Annex C (informative) Correspondence between BSENISO9001:2000, BSENISO14001:1996 and BS7799-2:200228Annex D (informative) Changes to internal numbering30Bibliography33Figure 1 — PDCA model applied to ISMS processes2Table B.1 — OECD principles and the PDCA model27Table C.1 — Correspondence between BSENISO9001:2000, BSENISO14001:1996 and BS7799-2:200228Table D.1 — Relationship between internal numbering in different editionsofBS7799-230SIST BS 7799-2:2003



BS 7799-2:2002ii© BSI 5 September 2002ForewordThis part of BS 7799 has been prepared by BDD/2, Information security management. It supersedes BS7799-2:1999, which is obsolescent.This new edition has been produced to harmonize it with other management system standards such as BSENISO9001:2000 and BSENISO14001:1996 to provide consistent and integrated implementation and operation of management systems. It also introduces a Plan-Do-Check-Act (PDCA) model as part of a management system approach to developing, implementing, and improving the effectiveness of an organization’s information security management system.The implementation of the PDCA model will also reflect the principles as set out in the OECD guidance (2002)1) governing the security of information systems and networks. In particular, this new edition gives a robust model for implementing the principles in those guidelines governing risk assessment, security design and implementation, security management and reassessment.The control objectives and controls referred to in this edition are directly derived from and aligned with those listed in BSISO/IEC17799:2000. The list of control objectives and controls in this British Standard is not exhaustive and an organization might consider that additional control objectives and controls are necessary. Not all the controls described will be relevant to every situation, nor can they take account of local environmental or technological constraints, or be present in a form that suits every potential user in an organization.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Compliance with a British Standard does not in itself confer immunity from legal obligations.1)OECD. OECD Guidelines for the Security of Information Systems and Networks — Towards a Culture of Security. Paris: OECD, July 2002. www.oecd.orgSummary of pagesThis document comprises a front cover, an inside front cover, pages i and ii, pages1to 33 and a back cover.The BSI copyright notice displayed in this document indicates when the document was last issued.SIST BS 7799-2:2003



BS 7799-2:2002© BSI 5 September 200210 Introduction0.1 GeneralThis British Standard has been prepared for business managers and their staff to provide a model for setting up and managing an effective Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by business needs and objectives, resulting security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that simple situations require simple ISMS solutions.This British Standard can be used by internal and external parties including certification bodies, to assess an organization’s ability to meet its own requirements, as well as any customer or regulatory demands.0.2 Process approachThis British Standard promotes the adoption of a process approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organization’s ISMS.An organization must identify and manage many activities in order to function effectively. Any activity using resources and managed in order to enable the transformation of inputs into outputs, can be considered to be a process. Often the output from one process directly forms the input to the following process.The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as a “process approach”.A process approach encourages its users to emphasize the importance of:a) understanding business information security requirements and the need to establish policy and objectives for information security;b) implementing and operating controls in the context of managing an organization’s overall business risk;c) monitoring and reviewing the performance and effectiveness of the ISMS;d) continual improvement based on objective measurement.The model, known as the “Plan-Do-Check-Act” (PDCA) model, can be applied to all ISMS processes, as adopted in this standard. Figure 1 illustrates how an ISMS takes as input the information security requirements and expectations of the interested parties and through the necessary actions and processes produces information security outcomes (i.e. managed information security) that meets those requirements and expectations. Figure 1 also illustrates the links in the processes presented in Clauses 4, 5, 6 and 7.EXAMPLE 1A requirement might be that breaches of information security will not cause serious financial damage to an organization and/or cause embarrassment to the organization. EXAMPLE 2An expectation might be that if a serious incident occurs — perhaps hacking of an organization’s eBusiness web site — there should be people with sufficient training in appropriate procedures to minimize the impact. NOTEThe term “procedure” is, by convention, used in information security to mean a “process” that is carried out by people as opposed to a computer or other electronic means.SIST BS 7799-2:2003



BS 7799-2:20022© BSI 5 September 20020.3 Compatibility with other management systemsThis standard is aligned with BSENISO 9001:2000 and BSENISO 14001:1996 in order to support consistent and integrated implementation and operation with related management standards. Table C.1illustrates the relationship between the clauses of this British Standard, BSENISO 9001:2000 and BSENISO 14001:1996.This British Standard is designed to enable an organization to align or integrate its ISMS with related management system requirements. Figure 1 — PDCA model applied to ISMS processesPlan (establish the ISMS)Establish security policy, objectives, targets, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.Do (implement and operate the ISMS)Implement and operate the security policy, controls, processes and procedures.Check (monitor and review the ISMS)Assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review.Act (maintain and improve the ISMS)Take corrective and preventive actions, based on the results of the management review, to achieve continual improvement of the ISMS.Implement andoperate the ISMSEstablish theISMSMaintain andimprove the ISMSInterestedpartiesMonitor andreview the ISMSInformationsecurityrequirements andexpectationsInterestedpartiesManagedinformationsecurityPlanCheckDevelopment,maintenance andimprovementcycleDoActSIST BS 7799-2:2003



BS 7799-2:2002© BSI 5 September 200231 Scope1.1 GeneralThis standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof (see Annex B which provides informative guidance on the use of this standard).The ISMS is designed to ensure adequate and proportionate security controls that adequately protect information assets and give confidence to customers and other interested parties. This can be translated into maintaining and improving competitive edge, cash flow, profitability, legal compliance and commercial image.1.2 ApplicationThe requirements set out in this British Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature of business. Where any requirement(s) of this standard cannot be applied due to the nature of an organization and its business, the requirement can be considered for exclusion.Where exclusions are made, claims of conformity to this standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable regulatory requirements. Any exclusions of controls found to be necessary to satisfy the risk acceptance criteria need to be justified and evidence needs to be provided that the associated risks have been properly accepted by accountable people. Excluding any of the requirements specified in Clauses 4, 5, 6 and 7 is not acceptable.2 Normative referencesThe following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document applies.BSENISO9001:2000, Quality management systems— Requirements.BSISO/IEC17799:2000, Information technology— Code of practice for information security management.ISOGuide73:2002, Risk management— Vocabulary — Guidelines for use in standards.3 Terms and definitionsFor the purposes of this British Standard, the following terms and definitions apply.3.1
availabilityensuring that authorized users have access to information and associated assets when required[BSISO/IEC17799:2000]3.2
confidentialityensuring that information is accessible only to those authorized to have access[BSISO/IEC17799:2000]3.3
information securitysecurity preservation of confidentiality, integrity and availability of informationSIST BS 7799-2:2003



BS 7799-2:20024© BSI 5 September 20023.4
information security management systemISMSthat part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information securityNOTEThe management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.3.5
integritysafeguarding the accuracy and completeness of information and processing methods[BSISO/IEC17799:2000]3.6
risk acceptancedecision to accept a risk[ISO Guide 73]3.7
risk analysissystematic use of information to identify sources and to estimate the risk[ISO Guide 73]3.8
risk assessmentoverall process of risk analysis and risk evaluation[ISO Guide 73]3.9
risk evaluationprocess of comparing the estimated risk against given risk criteria to determine the significance of risk[ISO Guide 73]3.10
risk managementcoordinated activities to direct and control an organization with regard to risk[ISO Guide 73]3.11
risk treatmenttreatment process of selection and implementation of measures to modify risk[ISO Guide 73]3.12
statement of applicabilitydocument describing the control objectives and controls that are relevant and applicable to the organization’s ISMS, based on the results and conclusions of the risk assessment and risk treatment processesSIST BS 7799-2:2003



BS 7799-2:2002© BSI 5 September 200254 Information security management system4.1 General requirementsThe organization shall develop, implement, maintain and continually improve a documented ISMS within the context of the organization’s overall business activities and risk. For the purposes of this standard the process used is based on the PDCA model shown in Figure 1.4.2 Establishing and managing the ISMS4.2.1 Establish the ISMSThe organization shall do the following. a) Define the scope of the ISMS in terms of the characteristics of the business, the organization, its location, assets and technology.b) Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology that:1) includes a framework for setting its objectives and establishes an overall sense of direction and principles for action with regard to information security;2) takes into account business and legal or regulatory requirements, and contractual security obligations;3) establishes the strategic organizational and risk management context in which the establishment and maintenance of the ISMS will take place;4) establishes criteria against which risk will be evaluated and the structure of the risk assessment will be defined [see 4.2.1c)];5) has been approved by management.c) Define a systematic approach to risk assessmentIdentify a method of risk assessment that is suited to the ISMS, and the identified business information security, legal and regulatory requirements. Set policy and objectives for the ISMS to reduce risks to acceptable levels. Determine criteria for accepting the risks and identify the acceptable levels of risk [see5.1f)].d) Identify the risks1) Identify the assets within the scope of the ISMS and the owners of these assets.2) Identify the threats to those assets.3) Identify the vulnerabilities that might be exploited by the threats.4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.e) Assess the risks1) Assess the business harm that might result from a security failure, taking into account the potential consequences of a loss of confidentiality, integrity or availability of the assets.2) Assess the realistic likelihood of such a security failure occurring in the light of prevailing threats and vulnerabilities and impacts associated with these assets, and the controls currently implemented.3) Estimate the levels of risks.4) Determine whether the risk is acceptable or requires treatment using the criteria established in4.2.1c).f) Identify and evaluate options for the treatment of risksPossible actions include:1) applying appropriate controls;2) knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policy and the criteria for risk acceptance [see 4.2.1c)];3) avoiding risks;4) transferring the associated business risks to other parties, e.g. insurers, suppliers.SIST BS 7799-2:2003



BS 7799-2:20026© BSI 5 September 2002g) Select control objectives and controls for the treatment of risksAppropriate control objectives and controls shall be selected from Annex A of this standard and the selection shall be justified on the basis of the conclusions of the risk assessment and risk treatment process.NOTEThe control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected.h) Prepare a Statement of ApplicabilityThe control objectives and controls selected in 4.2.1g) and the reasons for their selection shall be documented in the Statement of Applicability. The exclusion of any control objectives and controls listed in Annex A shall also be recorded.i) Obtain management approval of the proposed residual risks and authorization to implement and operate the ISMS.4.2.2 Implement and operate the ISMSThe organization shall do the following.a) Formulate a risk treatment plan that identifies the appropriate management action, responsibilities and priorities for managing information security risks (see Clause 5).b) Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities.c) Implement controls selected in 4.2.1g) to meet the control objectives.d) Implement training and awareness programmes (see 5.2.2).e) Manage operations.f) Manage resources (see 5.2).g) Implement procedures and other controls capable of enabling prompt detection of and response to security incidents.4.2.3 Monitor and review the ISMSThe organization shall do the following.a) Execute monitoring procedures and other controls to:1) detect errors in the results of processing promptly;2) identify failed and successful security breaches and incidents promptly;3) enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected;4) determine the actions taken to resolve a breach of security reflecting business priorities.b) Undertake regular reviews of the effectiveness of the ISMS (including meeting security policy and objectives, and review of security controls) taking into account results of security audits, incidents, suggestions and feedback from all interested parties.c) Review the level of residual risk and acceptable risk, taking into account changes to:1) the organization;2) technology;3) business objectives and processes;4) identified threats;5) external events, such as changes to the legal or regulatory environment and changes in social climate.SIST BS 7799-2:2003



BS 7799-2:2002© BSI 5 September 20027d) Conduct internal ISMS audits at planned intervals.e) Undertake a management review of the ISMS on a regular basis (at least once a year) to ensure that the scope remains adequate and improvements in the ISMS process are identified (see Clause 6).f) Record actions and events that could have an impact on the effectiveness or performance of the ISMS (see 4.3.3).4.2.4 Maintain and improve the ISMS The organization shall regularly do the following.a) Implement the identified improvements in the ISMS.b) Take appropriate corrective and preventive actions in accordance with 7.2 and 7.3. Apply the lessons learnt from the security experiences of other organizations and those of the organization itself.c) Communicate the results and actions and agree with all interested parties.d) Ensure that the improvements achieve their intended objectives.4.3 Documentation requirements4.3.1 GeneralThe ISMS documentation shall include the following.a) Documented statements of the security policy [see 4.2.1b)] and control objectives.b) The scope of the ISMS [see 4.2.1c)] and procedures and controls in support of the ISMS. c) Risk assessment report [see 4.2.1c) to 4.2.1g)].d) Risk treatment plan [see 4.2.2b)].e) Documented procedures needed by the organization to ensure the effective planning, operation and control of its information security processes (see 6.1).f) Records required by this British Standard (see 4.3.3).g) Statement of Applicability.All documentation shall be made available as required by the ISMS policy.NOTE 1Where the term “documented procedure” appears within this standard, this means that the procedure is established, documented, implemented and maintained.NOTE 2The extent of the ISMS documentation can differ from one organization to another owing to:— the size of the organization and the type of its activities;— the scope and complexity of the security requirements and the system being managed.NOTE 3Documents and records may be in any form or type of medium.4.3.2 Control of documentsDocuments required by the ISMS shall be protected and controlled. A documented procedure shall be established to define the management actions needed to:a) approve documents for adequacy prior to issue;b) review and update documents as necessary and re-approve documents;c) ensure that changes and the current revision status of documents are identified;d) ensure that the most recent versions of relevant documents are available at points of use;e) ensure that documents remain legible and readily identifiable;f) ensure that documents of external origin are identified;g) ensure that the distribution of documents is controlled;h) prevent the unintended use of obsolete documents;i) apply suitable identification to them if they are retained for any purpose.SIST BS 7799-2:2003



BS 7799-2:20028© BSI 5 September 20024.3.3 Control of recordsRecords shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS. They shall be controlled. The ISMS shall take account of any relevant legal requirements. Records shall remain legible, readily identifiable and retrievable. The controls needed for the identification, storage, protection, retrieval, retention time and disposition of records shall be documented. A management process shall determine the need for and extent of records.Records shall be kept of the performance of the process as outlined in 4.2 and of all occurrences of security incidents related to the ISMS.EXAMPLEExamples of records are a visitors’ book, audit records and authorization of access.5 Management responsibility 5.1 Management commitmentManagement shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by:a) establishing an information security policy;b) ensuring that information security objectives and plans are established;c) establishing roles and responsibilities for information security;d) communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement;e) providing sufficient resources to develop, implement, operate and maintain the ISMS (see 5.2.1);f) deciding the acceptable level of risk;g) conducting management reviews of the ISMS (see Clause 6).5.2 Resource management 5.2.1 Provision of resourcesThe organization shall determine and provide the resources needed to:a) establish, implement, operate and maintain an ISMS;b) ensure that information security procedures support the business requirements;c) identify and address legal and regulatory requirements and contractual security obligations;d) maintain adequate security by correct application of all implemented controls;e) carry out reviews when necessary, and to react appropriately to the results of these reviews;f) where required, improve the effectiveness of the ISMS.5.2.2 Training, awareness and competencyThe organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by:a) determining the necessary competencies for personnel performing work effecting the ISMS;b) providing competent training and, if necessary, employing competent personnel to satisfy these needs;c) evaluating the effectiveness of the training provided and actions taken;d) maintaining records of education, training, skills, experience and qualifications (see 4.3.3).The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives.SIST BS 7799-2:2003



BS 7799-2:2002© BSI 5 September 200296 Management review of the ISMS6.1 GeneralManagement shall review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the security policy and security objectives. The results of the reviews shall be clearly documented and records shall be maintained (see 4.3.3).6.2 Review inputThe input to a management review shall include information on:a) results of ISMS audits and reviews;b) feedback from interested parties;c) techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness;d) status of preventive and corrective actions;e) vulnerabilities or threats not adequately addressed in the previous risk assessment; f) follow-up actions from previous management reviews;g) any changes that could affect the ISMS; h) recommendations for improvement.6.3 Review outputThe output from the management review shall include any decisions and actions related to the following.a) Improvement of the effectiveness of the ISMS.b) Modification of procedures that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:1) business requirements;2) security requirements;3) business processes effecting the existing business requirements;4) regulatory or legal environment;5) levels of risk and/or levels of risk acceptance.c) Resource needs.6.4 Internal ISMS auditsThe organization shall conduct internal ISMS audits at planned intervals to determine whether the control objectives, controls, processes and procedures of its ISMS:a) conform to the requirements of this standard and relevant legislation or regulations;b) conform to the identified information security requirements;c) are effectively implemented and maintained;d) perform as expected.An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audits criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.3.3) shall be defined in a documented procedure.The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Improvement activities shall include the verification of the actions taken and the reporting of verification results (see Clause 7).SIST BS 7799-2:2003



BS 7799-2:200210© BSI 5 September 20027 ISMS improvement7.1 Continual improvementThe organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review.7.2 Corrective actionThe organization shall take action to eliminate the cause of nonconformities associated with the implementation and operation of the ISMS in order to prevent recurrence. The documented procedures for corrective action shall define requirements for:a) identifying nonconformities of the implementation and/or operation of the ISMS;b) determining the causes of nonconformities;c) evaluating the need for actions to ensure that nonconformities do not recur;d) determining and implementing the corrective action needed;e) recording results of action taken (see 4.3.3);f) reviewing of corrective action taken.7.3 Preventive actionThe organization shall determine action to guard against future nonconformities in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems. The documented procedure for preventive action shall define requirements for:a) identifying potential nonconformities and their causes;b) determining and implementing preventive action needed;c) recording results of action taken (see 4.3.3);d) reviewing of preventive action taken;e) identifying changed risks and ensuring that attention is focused on significantly changed risks.The priority of preventive actions shall be determined based on the results of the risk assessment.NOTEAction to prevent nonconformities
...