What is this standard about?
It’s about risk management in relation to information security. It covers all the necessary processes to manage information security risks.
Who is this standard for?
Every organization with information will benefit from using this standard, regardless of size or sector. In terms of role, it will be used by:
- GRC managers
- Security managers
- Operational managers
- Anyone responsible for implementing the requirements of the General Data Protection Regulation in their organization
Why should you use this standard?
It plugs the gap left between the international standard on information security risk management that was last published in 2011 (ISO/IEC 27005:2011) and the revised ISO/IEC 27001 which was published in 2013.
As such BS 7799-3:2017 provides essential support for the implementation of ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements and all sectoral and application specific uses of that standard.
Why do you need the BS 7799-3:2017?
In order to manage information security risk effectively BS 7799-3:2017 must be used, and takes its place as the standard against which information security risk management in your organization can be measured.
How is it different from BS 7799?
The standard is a subset of the original standard.
The previous standard was based on the words “should” and “shall”. This standard relies on the word “must” in most of its requirements. It is, therefore, much more prescriptive about the information security risk management processes that organizations must follow.
The standard has been reviewed by both Information Security Forum (ISF) and BSI Group.
BS 7799-3 is the only benchmark that accurately captures the entire gamut of information security risks for an organization, including malicious and accidental events. In comparison to its predecessor the standard is far more prescriptive and it creates specific requirements for the information security risk management function. Whilst it does not make any reference to ISO 27001-3 it has been developed in consultation with BSI and in response to the standards requirements.
Why is this standard published so late?
Its late publication was caused by an extended revision process which was additional to the revision period required by standard setting bodies. This prolonged revision schedule was a direct consequence of the popularity of the standard with its adopters. As well as satisfying the need for an updated standard there were many requests for the standard to cover a wider range of information security risks including malicious and accidental events.
How do you use this standard?
The standard simply replaces the previous 2000 edition of BS 7799. It is the ultimate criterion against which organizations using the standard should evaluate the effectiveness of their information security risk management processes.
How did the previous standard of this name develop?
BS 7799 was developed in 1999 by a collaboration of the British Standards Institution (BSI) and professional bodies representing people working in information security.
It was based on the five categories of actions identified by ISO/IEC 27005:2011.
How does this standard build on the previous one?
Like its predecessor, the standard is based on the five categories of actions identified by ISO/IEC 27005:2011, but it is also divided into other areas in order to ensure that all information security risks are addressed.
Are these New Standards?
No, they are the current release of the existing standard.
Why is this standard BS instead of ISO?
BSI is a leading worldwide standards organization. It has over 800 national standards working in 100 countries.
It was therefore considered important that the revised standard was issued under its brand. This is in stark contrast to BS 7799 Part 1 1999 edition and BS 7799 Part 2 1998 edition which was both issued and accredited under the British Standards Institution (BSI) brand.
How was this Standard developed?
The standard has been developed through a collaborative effort involving BSI, ISF, Accredia, ISACA and the Information Security Forum (ISF). It has been reviewed by both Information Security Forum (ISF) and BSI Group.