Professional Documents
Culture Documents
Gusztav Arany,
Sales & Marketing Manager
Content
1.BSI Global Introduction
2. BS7799- 2 /ISO27001:2005
Timeline,
Products,
3. New and Important in ISO / IEC 27 001:2005
4. Process of assessment and registration
5. Certification Benefits
6. BSI Presence and abilities in Romania
7. Next Steps
1.BSI Global introduction
Established in 1903
ISO9001,14001,OHSAS,ISO/TS16949,ISO22000
in 105 countries
Main Partners
3M Oxford Automotive
ABB Shell
American Axle Xerox
Alcoa Toyota
Bosch Corporation Sony
BT Yell
Fujitsu Lockheed Martin
Guardian Honeywell
HP/Compaq Lloyds TSB Group
ITT Industries Marconi
Johson And Johson Marley
1.BSI Global introduction
BS7799 references
IN UK:
357 certificates
On the World:
4900 certificates
BS
BS7799-1:1999
7799-1:1999 1999: UK
International
committee
Normal revision cycle committee
decision to
in ISO decision to
Revised in UK submit to
change number
ISO Fast-
track
BS
BS7799-2:1999
7799-2:1999
developed
developedtotosupport
support
certification
certification International
committee BS
BSISO/IEC
ISO/IEC
decision to 27001:2005
27001:2005
BS 7799 Development change number
2. BS7799 Products
International Standards
BS ISO/IEC 27000 Fundamentals and
vocabulary
BS ISO/IEC 27001
Information security management systems
Requirements
BS ISO/IEC 27002 Code of practice for
Information security management
BS ISO/IEC 27003 Implementation guidance
BS ISO/IEC 27004 Metrics and measurement
BS ISO/IEC 27005 Information security risk
management
27006...27011
Reserved for future development (products driven
by both BSI and potentially ISO TC)
Still in Development
Available now
Future new product development
3.New and Important in ISO / IEC 27 001:2005
Several Clauses and Control Objectives have been added or changed in order to
emphasize their importance:
Organization of Information Security:
A.6.1.5. Confidentiality Agreements
A.6.1.6. Contact with Authorities
A.6.1.7. Contact with Special Interest Groups (may be CERTS, Specialists, Security
Forums)
Asset Management:
A.7.1.2. Ownership of Assets
A.7.1.3. Acceptable Use of Assets
Human Resource Security:
The entire Clause has been modified in order to be more comprehensive and to follow the
entire employment cycle.
3.New and Important in ISO / IEC 27 001:2005
Communications and Operations Management:
Several Control Objectives have been added reflecting changes in
technology: Mobile Code Security, Electronic Commerce, On-line Transactions
Other Control Objectives added in order to emphasize: level of services,
monitoring, logging, clock synchronization
Information Systems Acquisition Development and Maintenance:
Removed: Control Objectives regarding Encryption, Digital Signature and Non-
Repudiation Services
Added: Control Objectives regarding Technical Vulnerability Management
Information Security Incident Management:
The entire Clause has been added with Control Objectives regarding reporting
events and weaknesses and their management
Business Continuity Management:
The Control Objective A.11.1.2. Business Continuity and Impact Analysis has
been modified in A.14.1.2. Business Continuity and Risk Assessment
4.Process of assessment and registration
Step 3
Formal application to BSI
Application Submitted
Step 4
Appointment of Information Security Client
Assessment Team
(3 month noticing period) Manager
Appointment
4.Process of assessment and registration
Pre-Assessment Visit
(Optional)
Step 5 Staged
Assessment
Stage 1
Stage 2
4. Process of assessment and registration
Stage 1
Scope of the management system
Information Security Policy
Risk Assessment method and results
Selection of Controls
Statement of Applicability
Stage 2
The assessment of information security related risks and the framework of the
ISMS
The statement of Applicability
The objectives and the targets obtained from the design process
Performance monitoring, measuring, reporting and reviewing against objectives
and targets
Security and management reviews
Management responsibility for information security policy
Links between policy, results of security risk assessment, objectives and targets
,responsibilities, programmes, procedures, performance data and security review
4.Process of assessment and registration
Step 7
On-going annual assessment
Continual Assessment
Tri-Annual Re-assessment
Major nonconformities:
Abilities
2 persons Certified BS 7799 Lead Auditor
2 persons Certified ISO/IEC 27001 Lead Auditor
7. Next Steps
Enquiry
Preliminary Visit
Company Profile
Quotation
Application
Client Manager Appointed
Thank You
for your attention!