Information security management
BS 7799-2:1999 pdf free.Information security management- Part 2: Specification for information security management systems.
3.1 General
The orgaiiization shall establish and maintain a documented ISMS. This shall a(klress the assets to 1w prot (Cte(l, the organization’s approach to risk management, the control objectives and controls, and the degree of assurance required.
3.2 Establishing a management framework
The following steps shall be Jm(lertakefl to i(Ieflhify
and (lodunlent the control objectives and controls
(see Figure 1).
a) The information security policy shall be defined. b) The scope of the information security management system shall be defined. The boundaries shall be defined in terms of the characteristics of the organization, its location, assets and technology.
c) An appropriate risk assessment shall be undertaken. The risk assessment shall identify the threats to assets, vulnerabilities and impacts on the organization and shall determine the degree of risk.
d) The areas of risk to be manage(1 shall he identified based on the organization’s information security policy and the degree of assurance required.
e) Appropriate control objectives and controls shall be selected from clause 4 for implementation by the organization, and the selection shall be justified.
NOTE Guidance on the selection of control objectives and controls can be found in BS ISO/IEC 17799, The control objectives an(I controls listed in clause 4 of this part of BS 7799 are not exhaustive and a(l(litional controls may also he selected.
f) A statement of apphcability shall be Prepared. The selected control objectives and controls, and the reasofls for their selection shall be documented in the statement of applicability. This statement shall also record the exclusion of any controls listed in clause 4. These steps shall be reviewed at appropriately defined intervals as required.
3.3 Implementation
The selected control objectives ui(l controls shall l)e implemented effectively by the organization. The effectiveness of the procedures adopted to implement the controls shall be verified by reviews in accordance with 4.10.2.
NoTE Attention is drawn to the recommendations given in
BS ISO/IEC 17799.
3.4 Documentation
The ISMS documentation shall consist of the following information:
a) evidence of the actions undertaken as specified in 3.2;
1)) a summary of the management framework including the information security policy and the control objectives and implemented controls given in the statement of applicability;
c) the procedures a(lopte(l to implement the controls as specified in 3.3. These shall describe responsibilities and reIevant actions;
d) the procedures covering the management and operation of the ISMS. These shall (lescrtl)e responsibilities and relevant actions.
N()TE The (l(XUfl1eI1tS liSte(l iii 3.4b) and c) may be conveniently placed together in a eeiaiity policy inamial
3.5 Document control
The ISMS documentation shall consist of the following infonnalion:
a) evidence of the actions undertaken as specified in 3.2;
b) a summary of the management framework including the information security policy and the control objectives and implemented controls given in the statement of applicability;
c) the procedures adopted to implement the controls as specified in 3.3. These shall describe responsibilities and relevant actions;
d) the procedures covering the management and operation of the ISMS. These shall describe responsibilities and relevant actions.
NOTE The docwiients Ie4ed in 3.4h) and c) may be cunvelliellily plard tueIber m a ccur*ty pohcy manual.
3.5 Document control
The organization shall establish and maintain procedures for controlling all documentation required under 3.4 to ensure that the (locumentation
a) readily available;
b) periodically reviewed and revised as necessary in line with the organization’s security policy; c) maintained under version control and made available at all locations where operations essential to the effective functioning of the ISMS are perfonned
d) promptly withdrawn when obsolete; e) identified and retained when oI)solete and required for legal or knowledge preservation purposes, or both.
Documentation shall be legible, dated (together with dates of revision) and readily identifiable, maintained in an orderly manner and retained for a specified lN’flo(l. ProcedureS and resjx)n.sibilines shall be estabhshed and maintained for the creation and modification of the various types of document.
3.6 Records
Records, being evidence generated as a consequence of the operation of the ISMS, shall be fllaifltaifle(l to demonstrate compliance with the requirements of this part of BS 7799 as appropriate to the system and to the organization, e.g. a visitors’ book, audit records and authorization of access.
The organization shall establish and maintain procedures for i(Ienti fying, maintaining, retaining and disposing of the records dcmonstratrng compliance.
Records shall be legible, identifiable and traceable to the activity involved. Records shall be st.ore(I and maintained in such a way that they are readily retrievable and protected against damage, deterioration or loss.
NOTE Records may he in any medium, such as hard copy or electronic media.4.1.1.1 Information security policy document A policy document shall be approved by management, published and communicated, as appropriate, to all employees.
4.1.1.2 Review and evaluation
The policy shall be reviewed regularly, and in case of influencing changes, to ensure it remains appropriate.
4.2.1.1 Management
information security forum A management forum to ensure that there is clear (hrc’ctlon afl(l VISiI)Ie management support for security initiatives shall be in place.
4.2.1.2 Information security co-orcil no lion Where appropriate to the size of the organization, a cross—functional fonun of management representatives from relevant parts of the organization shall be used to co-ordinate the implementation of information security controls.
4.2.1.3 Allocation of information security responsibilities
Responsibilities for the protection of individual assets and for carrying out specific security processes shall be clearly defmed.
4.2. 1.4 Au tho riza I loll jnveess for i nforma lion processing foci! i ties
A management. authorization process for flCW information processmg facilities shall be established.
4.2.1.5 Specialist information securitq adujce Advice on information security provided by in-house or specialist advisors shall be sought and communicated throughout the organization.
4.2. 1.6 co—opeii lion between olvan izat tons Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecomnmmcat ions operators shall be mamtamed.
4.2.1.7 Independent rericu’ of informnalton security The implementation of the information security policy shall be reviewed independently.
4.2.2.1 Identification of rislks firom third party access The risks associated with access to organizational information processing facilities by third parties shall be assessed and appropriate security controls implemented.
4.2.2.2 Security requirements in third party contracts Arrangements involving third party access to organizational information processing facilities shall be based on a formal contract containing all necessary security requirements.BS 7799-2 pdf free donwload.Information security management