by The Open University
Available in 39 free installments
Owner:
Clause 4.1 of Part 1 of the Standard describes the processes and personnel required to support an ISMS under development or in operation. Chapter 4 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book) provides a detailed description of each of the components of such support systems, as well as exploring their interrelationships.
Study Reading 3 (linked below), a short section from Clause 4.1 of Part 1 of the Standard, and Chapter 4 of the Set Book (the subsection of Chapter 4 of the Set Book entitled ‘BS 7999 project group? should, of course, read ‘BS 7799 project group?). Then summarise the main structures and roles that are suggested by the Standard for an organisation that is developing an ISMS.
Click below to open Reading 3 (0.04 MB).
View documentBoth readings discuss the structures needed to support the development and operation of an ISMS. Although you need to be familiar with these structures, this unit will not require you to develop or implement them.
Note that the Standard generally makes suggestions for infrastructure rather than laying down requirements. The Set Book, however, describes the systems that would be needed if the suggestions of the Standard were to be accepted in full.
Unless specified otherwise, the references in the Set Book to clauses of the Standard are to clauses in Part 2 of the Standard. Furthermore, references prefixed by A, B, C or D are to Annexes A, B, C and D of Part 2. The Set Book sometimes refers to clauses in Annexe A as ‘controls?, since the clauses in that annexe describe the controls specified by the Standard. Note also that the controls in the clauses of Annexe A of Part 2 of the Standard are discussed in more detail in the corresponding clauses of Part 1, so that, for example, the control in clause A.4.1.1 in Annexe A of Part 2 is discussed more fully in clause 4.1.1 of Part 1.
The Set Book uses ISO 17799 as a shorthand for what we prefer to refer to as Part 1 of the Standard. Sometimes, particularly when referring to clauses of the Standard, the Set Book uses BS 7799 as a shorthand for what we prefer to call Part 2 of the Standard; at other times, rather more correctly, it uses BS 7799 to refer to complete Standard, both Parts 1 and 2.
For the purposes of this activity, you are not expected to read or look up any parts of the Standard other than Clause 4.1 of Part 1. Do not spend time looking up the references in Chapter 4 of the Set Book to other parts of the Standard. You should also ignore suggestions for looking at other chapters of the Set Book.
ISO 9000, referred to in Chapter 4 of the Set Book, is the International Standard for quality assurance or quality management systems.
Part 1 of the Standard (Clause 4.1) describes the processes and personnel required to support an ISMS under development or in operation. The main structures and roles that are suggested by the Standard for an organisation that is developing an ISMS may be summarised as follows.
There should be a management information security forum, the role of which is to provide clear direction and visible management support for the ISMS. The forum would be responsible for: reviewing and approving information security policy and high-level responsibilities; ensuring sufficient resources for the development, implementation, operation and maintenance of the ISMS; monitoring significant changes in threats to the organisation's information assets; reviewing information security incidents within the organisation; approving initiatives to improve information security; regular reviewing of the ISMS; and allocating information security responsibilities.
There should be a single information security manager responsible for all aspects of information security, including the implementation of the management information security forum's decisions.
There should be an authorisation process for new information processing facilities that will allow the organisation to adopt new technologies without compromising security.
There should be an information security adviser, whose job is to provide advice on specialist topics, including the choice of security technologies required by the ISMS.
There should be an independent internal review board for the ISMS.
Chapter 4 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book) provides a detailed description of each of the components of such support systems, as well as exploring their interrelationships.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
