http://www.xisec.com/ under the Certificate Register you will find ISMS
Scope. These are ISMS Scopes as defined by the associated companies.

Hope this give you some realworld examples.

____________________________________

[ more ]  [ reply ]

Hi SP,
looking into the ISO 17799 there are no specific guidelines mentioned. however, when scoping for ISO you decide upon the scope based on Strategic Business Units (SBU's); a definition can be found here: http://en.wikipedia.org/wiki/Strategic_business_unit
I guess the data center can be conside

[ more ]  [ reply ]

to name a few, here are some advantages (and yes theya re real :o)):
business security
lesser chance of business failures due to
security breaches
Faster recovery from business failures or
interruptions

competitive advantage

demands from business partners

to show compliance

[ more ]  [ reply ]

Hi All,

As was mentioned in a previous thread, defining scope seems to be the
first step towards implementing BS 7799. Does the BS 7799 standard
provide any guidelines for defining scope ?

I am targeting the certification of our data center. All servers are
hosted here. We have a core-team who ma

[ more ]  [ reply ]

We are a software development company doing work for several globally
reputed customers. Recently we had several enquiries from clients
regarding our status on BS 7799 certification.

We are already ISO 9000 Certified.

For those who have already implemented this, what are the "real"
security improv

[ more ]  [ reply ]

It all depends upon the organization and the skills within. You can count 3 scenarios

1. Hire the consultants right at the start and ask them to be with you till the certification is over. This is applicable if the company has less manpower to carry ou the activities

2. Get consultants to guide yo

[ more ]  [ reply ]

Hi David,

Time taken is directly dependent on the scope selected for certification
(e.g. the scope can be just the data center, or a particular business unit
or entire Organization)

Once the scope is determined, we should assess the current security
readiness. Some of the key aspects include

[ more ]  [ reply ]

Hi everybody...My name is Cesar and I´m very glad to have this list in securityfocus. I´m new to the list and I read all the posts you sent...

I want to write about the themes you´re talking about.

1.- Gap Analisys: I Agree with Manu. This is the baseline to find out where the organization is a

[ more ]  [ reply ]

Hi Mohammed Abdel

If I were you, I will obey to the common sense.
I made a very own bs7799 gap assessment to my own security team three
years ago, if my memory is good.
I never knew that it called a gap analysis or assessment, until I met a
friend with hours flying bs7799.
What I can recommend you

[ more ]  [ reply ]

Hi,
By doing a BS7799 gap assessment you are trying to find out where your organization stands as far as compliance to the BS7799 standard is concerned. Once gap analysis is done you can go ahead with plans of fixing up the gaps and becoming compliant with the standard. On a broad level i hope follo

[ more ]  [ reply ]

Hi,

ISO17799 (ISMS) users group http://www.xisec.com/

ISO17799-1 (part 1) will be renamed to ISO27002 and BS7799-2 (part 2)
will be renamed to ISO27001 coming Nov 2005. Some information
http://www.27000.org/index.htm

Rdgs,
PC

-----Original Message-----
From: Ivan . [mailto:ivanhec (at) gmail (dot) com [email concealed]]

[ more ]  [ reply ]

As well as a good study of the ISO 17799:2005 standard document you may want to consider that while it is quite comprehensive it may not [will not] address all of your needs.

I personally feel that this is just another guideline to follow and can be considered with other best practice guides, such

[ more ]  [ reply ]

Gap assessment (analysis) checks what controls are in place versus what is
required in accordance with the BS 7799 standard.

This can be done soon after the RA where-in we identify all necessary
controls.

Sometime organizations take up a Gap Analysis exercise, even before starting
the BS 7799 pro

[ more ]  [ reply ]

I am referring to a methodology by which you can assess the current security status against the 7799 and identify the gap.

having identified the gap this document then goes to the vendor attempting to certify and he/she can implement the needed controls and writing up a statement of applicability f

[ more ]  [ reply ]

Its not measured by the infrastructure. It is measured by the number of systems you want to certify. depending on the size and complexity of the system a certain number of days is allocated for the job. how many days i think it comes by experience.

my 2 cents.

[ more ]  [ reply ]

Does anyone have a methodology for carrying out a bs7799 gap assessment?
Thanks in advance

[ more ]  [ reply ]

I am writing this to people in this list who have already implemented
the BS7799 standard.

I am charged with responsibility of implementing BS 7799 in our
company. Should we implement all the 127 controls?

What if I want to implement some controls that are not identified by
the standard?

Thanks,

[ more ]  [ reply ]

What's the approach companies take for estimating the time and effort
required for implementing BS7799? Any thumb rules, guidelines that
newbies could use?

To take an example: how much time would the list estimate for
implementing BS7799 at a bank with 20 branches, 2000 users, 2
datacenters (Primar

[ more ]  [ reply ]

Hi,

Would like to know, what is the course of action for BS7799 certification,
like as per the standard the External Registration audit is carried in two
stages, so my query is when is the certification awarded, after stage 1 or
after stage 2.
Secondly, is it mandatory for the certification bod

[ more ]  [ reply ]

Kenzu,

No, from the beginning itself certifying agencies are not involved. Firstly,
we start preparing ourselves towards achieving certification, we identify
the scope, carry out the RA, prepare the ISMS manual and SoA and conduct the
internal audit. If any Non-conformances are raised during the in

[ more ]  [ reply ]

The assessor (e.g. PSB Certification) cannot also be a consultant. There
are very strict rules about this (conflict of interest). The assessor
will work for a Certification Body (such as PSB Certification).

Company "A" would hire a "consultant/consultancy firm" (or perform this
work in-house) to h

[ more ]  [ reply ]

Kenzu

Each Country operates an Accreditation Body which in turn accredits a
certification body which in turn assess ISMS and awards certification in
conformance with BS7799-2:2002.

Various National Accreditation Bodies around the world operate a mutual
recognition process that allows certificate

[ more ]  [ reply ]