Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

BS7799 helps compliance with UK data protection law [1999] PLBIRp 52; (1999) 51 Privacy Laws and Business International Report 8

BS7799 helps compliance with UK data protection law

BRITISH STANDARD 7799 for information security management is a useful tool for ensuring compliance with the security requirements of the UK Data Protection Act 1998. Insight Consulting, the first organisation to achieve BS7799 certification, recommends the standard as a practical way of improving security.

The EU Data Protection Directive, and new national data protection laws in Europe have introduced stricter requirements for information security. In the UK, the Office of the Data Protection Registrar has indicated that compliance with BS7799 could be seen as appropriate security measures as required by the new data protection law. The standard, as its name suggests, deals with information security, not just IT security.

BS7799 is intended to be used as a reference document by those who develop and implement information security practices in their organisations. It consists of two parts, the code of practice and the specification for information security management systems. The original version of BS7799, published in 1995, has been revised to take into account the security challenges of the online world and new technologies. The new version includes controls for areas such electronic commerce, mobile computing, teleworking and outsourcing. It is suitable for all sectors and sizes of organisations, and can be applied either to separate departments or to whole organisations.

NEW CERTIFICATION SCHEME

A certification scheme for the standard, c:cure, was launched in April 1998 by the Department of Trade and Industry and the BSI (British Standards Institution). The first c:cure certificate was awarded exactly one year after the launch to Insight Consulting, an independent management consultancy specialising in information security, business continuity and risk management.

Richard Mayall, Senior Consultant at Insight Consulting and Michael Stimson, Research Consultant, had been actively involved in the process and explained that a key motive for Insight Consulting to apply for a certification so quickly was to demonstrate to their clients and to potential future clients that they take information security very seriously and that they have an indepth understanding of the standard. Insight believes that obtaining certification against the standard is an important benchmark for any organisation offering consultancy services in this area.

"The company decided to seek certification for the whole company rather than just for a part of the company, which brought its own challenges. However, we would always advise large and complex organisations to approach BS7799 certification in a staged and structured manner," explained Richard Mayall.

"The whole process started by conducting a GAP analysis in order to identify the current status of information security throughout the company, with respect to the standard. The analysis did not result in many changes as, being specialists in this area, we have always put a lot of emphasis on information security and our Information Security Management System (ISMS) was already relatively mature and stable. It was important, however, to be able to demonstrate to the auditors that an analysis had been conducted and we also had to consider whether or not we had adequate evidence in the form of records."

CERTIFICATION REQUIRES FORMAL RISK ASSESSMENT

"The next step was to conduct a formal risk assessment, which is a fundamental requirement of the scheme. We used the CRAMM methodology, supported by the CRAMM software tool which provides a standard and rigorous method of identifying and evaluating risks to information systems and networks. In order to receive the certification, we had to be able to show the auditors how the assessment was carried out which was aided by the intuitive nature of CRAMM. Following the risk assessment, we drafted a Statement of Applicability and an Information Asset Register. That includes, for example, registering the information types that we hold and ranking them in order according to their value to the organisation," Richard Mayall explained.

"Certification to BS7799 also requires periodic internal reviews of security. We have always maintained a strong awareness of good security practice amongst our staff, and certification led us to formalise this principle into a structured and documented internal information security audit programme. As part of the rolling programme, we review the continuing accuracy of the risk assessment, to assess whether the risks are the same as before. In this respect, no change was needed. Certification just made us record our findings more formally and approach our security controls in a more structured standardised way. For every security control that the company adopts, we have to be able to demonstrate that we are using it. For example, we need to keep logs of routine maintenance operations, such as system backups. This is good practice anyway, even for a relatively straightforward system.

STRINGENT AUDIT PROCESS

The main change from the previous security arrangements for Insight Consulting is the fact that certification requires more formal audits, as compliance with the standard is assessed by independent auditors. UKAS sets a day rate for auditors who typically charge between £400- £500 per day.

Insight's auditors (DNV Quality Assurance Ltd) were initially on site for five days, and examined how the standard had been put into practice in terms of the documented Information Security Management System. External audits take place every six months, with a complete audit against the entire standard conducted after three years. In addition, regular internal audits take place throughout the year.

Richard Mayall explained that organisations need to be prepared to have anything examined, including the awareness of their staff.

"The auditors wanted to ensure themselves that all of our 40 staff in the company were fully aware of our approach to information security and that the policies were implemented effectively. For example, they asked one of our consultants where certain manuals are kept."

Therefore, it is important to ensure that all staff are aware of the information security procedures. Michael Stimson explained how Insight Consulting ensures that everyone knows what they can and cannot do with information.

"Everyone who joins the company receives a copy of the security manual, and has to confirm with their signature that they have read and understood it. Even though we are in the security field, we make no assumptions about the security awareness of staff, and we would recommend that other organisations adopt a similar approach."

COMPLYING WITH DATA PROTECTION LAW

Insight Consulting regards personal data as the most important data it holds, and it is treated differently from other data. "We hold personal data for two registered purposes; personnel administration and marketing. The personnel data also includes some sensitive data, namely health records. Only one person has access to personnel data, and the records are locked away including during office hours," Michael Stimson explained.

"With regard to homeworking, the company equips employees with the kinds of security controls that are needed to ensure that information is secure, for example lockable filing cabinets, and a secure method for gaining remote access to the company's IT systems," Richard Mayall continued.

The UK Data Protection Act's principle 7 requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Richard Mayall's view is that implementing the 7th principle and gaining formal certification should give a strong indication that an organisation is taking "due care" in considering its security requirements, and therefore should help to meet this aspect of the Data Protection Act.

"Data protection is a big driver for organisations at the moment to conduct risk assessments. We understand that appropriate measures means identifying your information and its value by using a risk assessment methodology, as well as identifying the security threats to your organisation and taking action to overcome them."

The Act also requires organisations to notify a general description of their security arrangements to the Data Protection Registrar. Michael Stimson was pleased that the notification details will remain between the company and the Registrar - they will not be included in the register of data users that is available for anyone to see. "We would not wish to give full details of our security systems. However, there is no problem in giving a general description of our procedures."

BENEFICIAL PROCESS

"The company has definitely benefited from the certification. In addition to good PR and new clients, we are now working in a more controlled and structured way. With improved security awareness generally the certification itself is not expensive, but companies should not underesti- mate the ongoing process costs associated with running an effective Information Security Management System, particularly the requirement for regular internal audits. As working in this controlled way brings with it other business benefits, such as improved communication, awareness, reduced risk and increased efficiency, I would recommend it to anyone," Richard Mayall summarised.

"Although I have to say that many companies fail to meet the spirit of BS7799 because they have misinterpreted the standard. Meeting the spirit is, however, required to achieve certification - companies must be able to demonstrate that they are also complying with their security policies."

Michael Stimson saw benefits also in terms of data protection. "Being certified puts us ahead of the game next year when the new Data Protection Act will be enforced. As adoption of the standard becomes more and more widespread, some business partners may begin to mandate it. It is therefore useful to have it already in place. In the future, the standard may be adopted internationally - there is currently a lot of interest from other countries."

For more information about BS7799, contact the c:cure office at DISC, 389 Chiswick High Road, London, W4 4AL, Tel: + 44 (0) 181 995 7799 Fax: + 44 (0) 181 996 6411 e-mail: c_cure@bsi.org.uk Internet: http://www.c-cure.org. To contact Insight Consulting, write to Churchfield House, 5 The Quintet, Churchfield Road, Waltonon- Thames, Surrey KT12 2TZ. Tel: + 44 (0) 1932 241 000 Fax: + 44 (0) 1932 244 590 Internet: www.insight.co.uk