ISMS, ITIL, ISO and others - BS7799 is interpreted as a quality standard

[venkat - 2011]

The information security standard BS7799 is conceived as a quality standard. This is erroneous. Though the standard has the same structure as ISO it does not mean that they can be merged. Information Security is about the security of the information across the organisation. If we merge these two then the concept of information security becomes infructuous.

Similarly it is not mandatory to unite all the standards together. We can have different systems running parallely

 

[Wes Bucey]

The information security standard BS7799 is conceived as a quality standard. This is erroneous. Though the standard has the same structure as ISO it does not mean that they can be merged. Information Security is about the security of the information across the organisation. If we merge these two then the concept of information security becomes infructuous.

Similarly it is not mandatory to unite all the standards together. We can have different systems running parallely

I'm not quite sure I understand how the "concept of information security becomes infructuous" [unfruitful] by merging The Quality and Business Management Systems espoused by the ISO and/or TS series of Standards.

It would seem to me the basic tenets of BS7799 are:

• To manage information security within the Company
• To maintain the security of organizational information processing facilities and information assets accessed by third parties
• To maintain the security of information when the responsibility for information processing has been outsourced to another organization

which are not much different from the concepts of Document Management and Control and especially of the subset of Document Management called Configuration Management.

The primary concept being to keep unauthorized copies or modifications of documents from circulating where the information contained can harm the organization in some way. (competitors or making the wrong product are just two of the potential dangers organizations face) - Therefore, each organization needs a "risk analysis" [FMEA] to assess the level of security needed on information within the organization regardless of whether it is on paper or electronic media or contained in the brains of employees.

Therefore, would you please elaborate on your premise regarding the "unfruitfulness" of merging BS7799 with ANY of the Quality or Business Standards?

 

[Mr BS7799]

Integrating ISO 9000 and BS 7799

Hi everyone! I became a member ten minutes ago and this is my first post.

First of all, there is nothing wrong in combining both standards to form a - QISMS, quality and information security management system. Albeit, the pros outweighs the cons in implementing them together.

Here in the Philippines, there are 6 organizations certified to BS7799 and all of them have integrated BS 7799 with ISO 9001:2000.

It was a seamless integration for each organization.

Much of the "systemic" requirements of BS 7799 such as control of documents, control of records, internal audits, CA and PA are similar or only very very slightly different from ISO 9001:2000.

In combining the two standards, organizations can save resources.

I was the lead consultant for 3 out of the 6 certified BS 7799 organizations here and Ive seen the benefits of integrating both standards.

I hope I have contributed my bit. More power to the group and most especially to all the members.

Cheers!!!

"If you think technology is the solution to your information security problems, then you dont know your problems and you dont understand technology"

 

[venkat - 2011]

What I mean is that if there are no competencies in an organisation who can handle both then security becomes non-focussed. This is what I called as infructuous. The concept of Management Representative is fast changing. If that is the case then a person must be well versed with all standards and be able to be in the forefront. On paper it is very easy to state of merger. How practical it is to be followed is a question. There can be identical clauses in the standard - it does'nt mean thye can be merged. Saving resources - time saving is important but at the same time the audit has to be focused. There is no point in doing security audits for the sake of doing it. The audtiors need skill in firewall, routers, port etc., to do a effective audit. In security the auditee can adhere to information classification schema - confidential, secret and need not disclose in the interest of the organisation. The auditors cannot derive adverse inference. Our company was audited by an external auditor and he was impressed that the security as an independent system. Infact he also suggested to have it independently. He opined that merging can pose problems, or we need to have a person in the rank of Director -Technical as a Management Representative

 

[Mr BS7799]

IMHO necessary resources must be in place before an organization starts to implement any management system. These resources include competence. In fact BS 7799 made an emphasis on competence by stating "if necessary, employ competent personnel".

You are right Mr Venkat that organizations "without" the proper manpower and/or resources would have difficulties in implementing any management system much less merging them.

With regards to security audits, the depth of security audits should be commensurate to the security in-place. The amount of security-in-place should be based on the information you are protecting. Simply put, dont buy a ten-dollar fence to keep a five-dollar horse. One has to find the optimum trade-off balance between security controls and information. The same axiom can be used in auditing security.