Standards help protect data


22 November 2007

Information security managers concerned about the incident that occurred at HM Customs and Revenue this week should look to BSI British Standards for guidance on information security and data protection.  

Mike Low, Director of BSI British Standards, said: “The events of the last couple of days will force many organizations to reassess their handling of valuable data.  A range of British Standards in this area can provide a structured approach to information security and data protection.  Specific guidance and the opportunity for independent 3rd party certification are also available. 

“Last year 62% of businesses reported information security issues (1) but with a range of international standards, detailed guidance, certification and training available, there are well established business tools available to all types of organisations to manage such risks.” 

Information Security

Making sure the right people, processes, procedures and technology are in place is key to the protection of information assets.  British Standards on information security help minimize possible harm to organizations caused by deliberate or accidental acts.

BS ISO/IEC 27001 is a risk-based management system which provides a structured approach to information security, protecting information regardless of format.  BS ISO/IEC 27001 is a certifiable standard which means an organization of any size, sector or function can seek independent 3rd party verification of its information management performance.

This voluntary standard, originally developed by BSI, has already established worldwide renown for the sharing of best practice in this area.

ISO/IEC 27002 is a code of practice developed to build best practice in information security and assist an organization in implementing an information security management system.  The standard covers a range of information security topics including security policies, asset control, and personnel security.

Data Protection

BSI Data Protection Guide (BIP 0012), was prepared with the assistance of the Office of the Information Commissioner and UK industry.  It provides practical guidance on implementing the Data Protection Act (1998) Legislation and deals specifically with areas such as email policy, database management, subject access and e-commerce.

British Standard on Data Protection.  Work is foreseen on a new data protection standard which will provide organizations with a method of assessing and demonstrating their compliance with the requirements of the Data Protection Act (1998).

Mike Low said, “We are actively engaged with the Information Commission and many other local and global stakeholders to deliver a comprehensive range of standards based business tools that provide not only advice, but effective implementation of best practice in this area.”

“A key point in any business for ensuring that it manages such risks is not just using the standard, but ensuring it is embedded into the organization and demonstrating, through independent and regular assessment, that their processes and capabilities are kept up to date.”

1.   In 2006 62% of businesses reported information security issues - from DTI Information Security Breaches Survey in conjunction with PWC, 2006

About BSI Group
BSI British Standards is part of BSI Group, a global independent business services organization that inspires confidence and delivers assurance to customers with standards-based solutions. Originating as the world’s first national standards body, the Group has over 2,250 staff operating in over 100 countries through more than 50 global offices. The Group’s key offerings are:

• The development and sale of private, national and international standards and supporting information
• Second and third-party management systems assessment and certification
• Product testing and certification of services and products
• Performance management software solutions
• Training services in support of standards implementation and business best practice.