Launch of revised BS 7799 standard at international conference

Press release: 5 September 2002

BSI launched the revised BS 7799 Part 2 on September 5 2002 as the centrepiece of a major international conference in London.

The UK Minister of E-Commerce and Competitiveness, Stephen Timms and Jeremy Ward from the Confederation of British Industry (CBI) joined BSI's General Manager of Standards Development, Ingrid Waloff, to launch the new standard alongside new Guidelines for Information Security published by the Organization for Economic Co-operation and Development (OECD).

Mr Timms told the packed conference room, “Today marks a big step forward. I warmly commend the work of BSI and all the participants in this exercise - both in the UK and overseas - for producing a new and improved tool to help businesses manage the risk to their information assets."

He added that the revision to BS 7799 came about partly in order to align the standard with the other management systems standards, adding that it was important for information security to be incorporated in the overall management systems approach, and not marginalized as a technical issue. “This helps take information security management into the Board Room" he said.

Referring to the OECD Guidelines and the new standard, the Minister continued, "Today we are celebrating the launch of an international framework for improving the security of information systems and a UK initiative that will help companies demonstrate their compliance with those Guidelines. I am sure that other national standards bodies will very shortly adopt the standard as an international benchmark on how companies show their commitment to the management of information security."

He concluded,"This conference is part of the process of moving towards that international acceptance and I would like to compliment the participants on being among the pioneers in this important field."

In her remarks to the conference, Ingrid Waloff said that BS 7799 had become one of the world's most popular standards. She added, “The revised Part 2 enables organizations to develop, implement and continuously improve their Information Security Management Systems and provides confidence in an 'e-business' environment, compliance with legislation such as the Data Protection Act, and if required, third party assessments and certification."

She added that Part 1 of BS 7799: 1999 had been adopted as ISO/IEC 17799, and Part 2 had been adopted in Sweden, Finland, Norway, Japan, Hong Kong, India, Australia, Taiwan and Korea - hence the conference title of BS 7799 Goes Global.

Held over two days in central London, the conference was run to discuss the implications of information security governance. The themes clearly struck a chord because they attracted more than 100 delegates from the UK, Germany, Saudi Arabia, Italy, Denmark, the Netherlands, Japan, France, Mexico, Finland, Slovenia, Nigeria, Hong Kong and Hungary. Twenty-eight international speakers presented.

BSI produced the event in partnership with the DTI and several commercial sponsors. BSI worked throughout with a Programme Committee from the International User Group of BS 7799 on developing the conference content.

The event was a resounding success - evidenced by the delegates' unanimous call for the conference to run annually. Everyone was enthusiastic about the content and the learning and networking opportunities, confirming BSI's position at the leading edge of the international information security community. 

To risk or not to risk your corporate information? This is the question that should be discussed within any organization. Do you put your organization at risk or do you take action to establish and manage an Information Security Management System?

The development of BS 7799-2:2002 is now complete and the revision is now available from BSI. This new edition, like the previous edition, is a risk-based approach for assessing, evaluating, treating and managing the risks.

The new edition has been produced to harmonize it with other management system standards such as BS EN ISO 9001:2000 and BS EN ISO 14001:1996 to provide consistent and integrated implementation and operation of management systems.

It was also developed due to a need for continual improvement processes to ensure that effective information security management is established and maintained.

The new edition of BS 7799: Part 2 introduces a Plan-Do-Check-Act process model as part of a management system approach to developing, implementing, and improving the effectiveness of an organization's information security management system within the context of the organization's overall business risks:

  • Plan - business risk analysis 
  • Do - internal controls to manage the applicable risks 
  • Check - a management review to verify effectiveness 
  • Act - action as necessary. 

The revised standard has improved definition and clarification of the links between the risk assessment process, the selection of controls, and the contents of the Statement of Applicability. It also includes guidance on how to use the new edition.