ISO 17799 and ISO 27001 Newsletter

The David L Watson Interview

The following questions were presented:

Have you any hints or tips on implementation, certification or the standard generally?

My top10 tips are:

l   The most important thing to do to start a BS 7799 implementation project is to ensure that you have demonstrable management commitment and ring fenced resources;

l   Get a reasonable scope that you can manage without over extending the project

l   When performing the risk assessment aggregate assets so that you are not performing a risk assessment on each PC when you have 500 of them. Ensure that the threats and vulnerabilities are appropriate and reasonable. Use a tool or two wherever possible and where they are appropriate and a best match for the task in hand. Ensure that their countermeasures are mapped to BS 7799 controls;

l   Ensure that the SoA is a readable, useable and maintainable document. Try to make it as easy as possible for the CB Auditor to use. I prefer using linked HTML pages that are fully linked, cross referenced and indexed to make finding the correct information easy as possible;

l   Ensure that all controls implemented are fully documented and the system is managed, monitored and maintained;

l   All systems should produce records that are appropriate and available for the audit;

l   Ensure that the CB Auditor has objective proof of a compliant system. This will come from a well run and managed system with appropriate input from the Information Security Manager;

l   Where necessary, test processes to ensure that they work – don’t assume or take someone’s word for it;

l   Prepare for audits and make the CB Auditors life as easy as possible for the duration of the audit. Try and build a relationship with the CB Auditor so they understand your approach and methods;

l   If relying on someone else’s certificate as proof of adequate security to allow them to connect to your systems, determine the following:

l   Qualifications of the auditor;

l   Scope of Certification;



**The Newsletter**

The ISO 17799 and ISO 27001 Newsletter is published periodically. It provides news and background for those interested in information security generally, and ISO17799 / ISO27001 specifically. In addtion, we provide occasional 'breaking news' bulletins covering any major event related to the standards.


Free subscription is via our online form



Contact Us

© Copyright 2005/2006.