Local information security authority ISIZA has announced the acceptance of the British Standard Institute`s BS7799 Code of Practice (COP) on Information Security Management Systems as an ISO standard. The document will be known as ISO/IEC 17799, and should be available as such in January next year.
"BS7799 received enough votes internationally to be adopted as an ISO standard," says ISIZA head Piet Opperman. "A meeting will be held in Tokyo in November to consider the comments received during the voting and to finalise the internationalisation of the document."
This bodes well for South Africa`s own COP, Opperman continues, which has been under development by a sub-committee of the South African Bureau of Standards (SABS) since early this year, and is based on BS 7799.
Prof Basie von Solms of the Department of Computer Sciences at Rand Afrikaans University, and chairman of the sub-committee, reports that all documents between the British Standard Institute and the SABS for accepting BS7799 as a South African standard have been signed at presidential level.
"The document will now be sent out to all committee members, who will vote on it within six weeks," he says. "If the votes are positive, which they should be because the committee unanimously requested this move last year, the document will become a South African standard known as SABS 7799."
Prior to its acceptance as an ISO standard, BS7799 was widely accepted internationally as a standard for information security control and is implemented by an increasing number of international companies. The standard consists of two sections. Section One contains more than 100 information security control measures, which a company can apply to secure its systems, while Section Two describes the process a company must follow to become BS7799-certified.
"Companies that comply with these specifications receive an official certificate of international certification," Von Solms explains.
The certification process is carried out by an internationally accredited BS7799 auditor, of which Von Solms is currently the only Level One certified BS7799 auditor outside England.
According to Opperman, it is in a company`s best interests to certify its information security procedures. "Certification not only enhances customers` faith in the company, but should the company be involved in a lawsuit, its certification serves as proof of its commitment to security. Furthermore, companies that participate in e-commerce can request certification from their e-commerce partners who have access to their network. In this way, critical company information will not be compromised."
ISIZA is geared to providing information security certification to organisations that comply with the COP for South African information security management systems.
Organisations wishing to be ISIZA-certified are required to undergo an extensive audit by an independent auditing firm to determine to what extent they comply with the COP. An appropriate certification grading (similar to the National Occupational Safety Association star grading system) is then issued which, says Opperman, is dependent, for example, on the number of qualified and skilled information security professionals the organisation has in its employ.
ISIZA is in the process of forming partnerships with leading auditing companies, as well as suppliers of information security mechanisms to facilitate companies in meeting certification requirements. "Additionally, we educate companies on information security and provide them with self-assessment tools," Opperman adds.
"Electronic trading is becoming increasingly pervasive, and as more and more South African companies begin to embrace e-business practices, certification of their information security systems will become an essential prerequisite in order to exchange information globally," Opperman concludes.
Share