Is this area covered by BS7799?

I am getting some interesting statistics on some research we are
conducting re: data encryption policies and responsibilities for this
area of storage security.

I'd appreciate any thoughts on this.

If anyone would like to participate or receive the results of th

[ more ]  [ reply ]

Jo , The certificate is the final step and it´s the only way to
certify if the company or area (look at the ISMS scope) is "iso17799
compliant". In practice, there is an ISO17799compliant status, because
nobody certifiy this status.

If your vendor or client or someone else claims they are

[ more ]  [ reply ]

Hi,
Before answering the question, let's take a quick look at the standard.

The BS 7799-2:2002 standard has sections 1-7 and four Annexure (A, B, C & D)
--- Section 1 is * SCOPE * which specifies the * requirements * for
establishing, implementing, monitoring, reviewing, maintaining & improving a
d

[ more ]  [ reply ]

Jo

Certification is the credential to look for in your vendor. This will
provide you with assurance that the organizations ISMS has been
independently audited and is subject to regular reassessment.

Compliance is an often misunderstood term and merely implies self
attestation.

When assessing yo

[ more ]  [ reply ]

Dear Jane,

None of the controls mentioned are mandatory.
Yes you are right its just your organization needs to decide which one is
applicable to your'll and get it implemented,the ones missed needs to be
justified.That's it............

Regards,

Rajendra Bhalerao
Paladion Networks
India
Phone: 9

[ more ]  [ reply ]

Claiming ISO 17799 compliant means that they are compliant to the
standards but not certified by an auditor.

Certified means they conform to the standard requirements and are
audited by a certified auditor.

Better is to be certified - gives more marketing mileage.

-Sam

-----Original Message---

[ more ]  [ reply ]

There are no mandatory controls.

You take a decision on which ones to apply on the basis of the Risk
Assessment you do. The threats identified have to map into the BS7799
controls and you select on the basis of applicable threats.

-Sam

-----Original Message-----
From: jane kiran [mailto:jane.ki

[ more ]  [ reply ]

Good evening,

All of the mandatory controls are listed prior to the appendix section of the BS7799 part 2. (IE: Documentation management...)

The controls that you see within ISO17799/ BS7799 part 1 are, technically, all mandatory unless you can justify the non-adoption of some of them.

To just

[ more ]  [ reply ]

Hi,

We are planning for certification
Are any of the controls in BS7799 part 2 mandatory or can we decide
which ones are applicable

Rgds

K

[ more ]  [ reply ]

Security is one of the evaluation criteria in our vendor selection
process.Some claim they are ISO17799 compliant while others state they
r BS7799 certified

Are both of these same or different ...which is better ???

Adieu
Jo
______________________________________________________________________

[ more ]  [ reply ]

Mohammed,

Check out the eFortresses Compliantz product;
it is a web-based risk assessment product that allows you to perform regular gap analysis against both the old and new ISO 17799 standards i.e. ISO/IEC 17799:2000 and ISO/IEC 17799:2005, as well as identify gaps to regulatory compliance requir

[ more ]  [ reply ]

Actually, deciding the scope involves a number of factors, depending on how large your organization is, and what your options are. We recently did a 4 week exercise for a major telecom company, simply to help them decide the best scope for their implementation. The various factors considered were:

[ more ]  [ reply ]

17799 part 1 is a code of practice - as Joao mentions , a guideline.
27001 - in draft form and currently the part 2 - is the standard against which you get audited and certified.

Hope this clarifies.

-----Original Message-----
From: Joao Moita [mailto:joao.moita (at) gmail (dot) com [email concealed]]

Sent: Thursday, Septem

[ more ]  [ reply ]

There are several providers. Pulinco is a Swiss company that has a
useful and affordable tool. Given the overhead, you really only want to
bother with a tool if you have a number of sites that you are
evaluating.

C.

-----Original Message-----
From: Martin Dion [mailto:martin.dion@abovesecurity.

[ more ]  [ reply ]

Basically 17799 is a Code of Practice because the usage of all of the controls enumerated in that document is not mandatory. BS7799:2 is a standard because all the points written down there are mandatory so someone can audit its usage.

Note that the Statement of Applicability (required for BS7799:2

[ more ]  [ reply ]

Hi Vinod

While ISO 9000 is for Quality Management, BS7799 is an Information Security
Management System.

The standard insists on involvement of top management in security
initiatives. This will ensure that security is given adequate importance by
all.

The standard follows a Plan-Do-Check-Act mo

[ more ]  [ reply ]

Hi everyone,

Does anyone know the differences between the conpepts of "Code of Practice" and "Standard"?
I´m not quite sure why exactly the 17799 is a code of practice and not a standard.

Federico Dirube
Accenture
Resou

[ more ]  [ reply ]

Good morning,

First, you do not need software to conduct a gap analysis.

Second, you need to establish you Statement of Applicability before
conducting a gap analysis.

Once your SOA is implemented, you can use carious checklist or the
standard itself to turn the objective into a question and esta

[ more ]  [ reply ]

My apologies for letting through an email with "Read Receipt" enabled.

Here's a quick checklist before you post a mail to the list

-- Use "Plain Text" format only

-- Do not enable special options like "Read Receipt", "Delivery Receipt"
etc.

-- Trim your posts to avoid long trailers

-- Avoid cr

[ more ]  [ reply ]

I was wondering what software everyone out there is using to do their gap
assessments and their feedback regarding the products they've used.

Best regards everyone.

[ more ]  [ reply ]

Hi Vinod,

When you say a company si ISO 9000 certified, it means the company has a QMS (Quality Management System) in place. This ensures that the company has a process oriented approach towards developing its products. ISO 9000 certification also enures that the company has proper documentation, v

[ more ]  [ reply ]

From: V.G. Kailash(IT) [mailto:vgkailash (at) bankmuscat (dot) com [email concealed]]
Sent: Tuesday, September 27, 2005 10:45 AM
To: Stephen P
Cc: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: RE: Guidelines for defining the scope?

Hi Stephan,
A limited part of an organisation may be offered for certification and
independently define

[ more ]  [ reply ]

It depends on your way of implementation. An actual implementation will ensure that you cover all assets in the scope and avoiding loop holes. The SOA and the risk treatment methodology plays a cruial role in the effectiveness of the implementation.

One major challenge and if achieved, the benefit

[ more ]  [ reply ]