Information is the most valuable asset of any organization. Therefore, it is essential for business partners and clients to be aware of your information security systems. Over the past two decades, two major factors have contributed to realization of the importance of information security systems. The first reason is that organizations have become more and more dependent on information and communication technologies. The second reason is that since the advent of information and communication technologies, the business model of organizations has transformed completely from working in limited geographical areas to creating a wider reach for them. Organizations have become location independent. Advancements in communication technologies have changed boundaries for organizations and brought the importance of data and information to the forefront.

BS 7799 ISMS
The BS 7799 Information Security Management System is intended to provide guidance to support the requirements given in ISO27001 regarding all aspects of an ISMS (or Information Security Management System) risk management cycle. This gives an assurance that the organization has achieved the minimum requirements for establishing a Quality Management System (QMS).

The BS 7799 standard comprises two parts:
Part 1: Code of Practice for Information security management.
Part 2: Specifications of Information Security Management Systems.

Part 1 describes about the recommended best practices that should be followed and Part 2 gives the specifications against which an organization will be evaluated to determine whether it deserves to be certified.

The steps outlining the concept of BS 7799 are:
Step 1: Risk Assessment
The first and essential step of BS 7799 is risk assessment. This includes a detailed risk evaluation exercise that is carried out taking a complete inventory of all of one’s information assets.

Step 2: Information Classification
All information assets are to be classified based on their criticality and sensitivity.

Step 3: Risk Mitigation
This is where we revisit BS 7799 controls. These are given in BS 7799 Part 2: Specification for Information Security Management System. These are divided into 10 domains:

1. Security Policy - explains what an information security policy should cover and why each business   should have one.
2. Organizational Security - explains how information security management is organized.
3. Asset Classification and Control - considers information and information processing equipment as valuable assets to be managed and accounted for.
4. Personnel Security - details any personnel issues such as training, responsibilities, vetting procedures, and how staff responded to security incidents.
5. Physical and Environmental Security - physical aspects of security including protection of equipment and information from    physical harm, as well as physical control of access to information and equipment.
6. Communications and Operations Management - examines correct management and secure operation of information processing facilities during day-to-day activities.
7. Access Control - control of access to information and systems on the basis of business and security needs.
8. System Development and Maintenance - design and maintenance of systems so that they are secure and maintain information integrity.
9. Business Continuity Management - concerns the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor, local issues.
10.Compliance concerns business compliance with relevant national and international laws, professional standards and any processes mandated by the Information Security Management System (ISMS).

When one uses BS 7799 well, it has undeniable advantages. These include reduced operational risk along with increased business efficiency. BS 7799 also leads to the assurance that information security is being rationally applied.

There are various ways in which we can achieve all of these:

• Security controls are justified
• Policies and procedures are appropriate
• Security awareness is good amongst staff and managers
• All security relevant information processing and supporting activities are auditable and are being audited
• Internal audit, incident reporting/management mechanisms are being treated appropriately
• Management actively focus on information security and its effectiveness

Even though BS 7799 may not be the perfect security certification, but it provides good guidelines for information management systems. It is a standard for measuring how secure is the information entrusted to an organization by its partners and clients. More importantly, it follows a risk oriented approach that ensures that the security standards in an organization don’t go down even after the certificate is obtained by it.

If you are looking for a security certification of your processes, BS 7799 is possibly the right way to begin.