BS7799 could arguably be called the most confusing of all standards. It simply keeps 'morphing' into different documents.
It began life in 1995, as a re-publication of an earlier DTI security code of practice. It was upgraded in 1999, and in 2000 was 'fast tracked' into ISO17799. Refusing to die, the name re-emerged as BS7799-2 in 2002, this time focusing upon information security management systems. This too, however, was fast-tracked and became ISO 27001 in October 2005.
Yet again, BS 7799 returned, this time being: "BS 7799-3:2005 Information security management systems. Guidelines for information security risk management". This document is intended to provide guidance to support the requirements given in ISO27001 regarding all aspects of an ISMS risk management cycle. The full contents are described here: BS7799-3
The future? It is highly likely that eventually BS7799-3 will follow the path of the other BS security standards and be fast tracked to become an ISO standard. In fact, a number, ISO 27005, has already been designated (albeit loosely) for a security risk management standard. This change is certainly not likely to occur in the short term, however.
The first step is usually to obtain a copy of the standard itself. BS7799 can be procured either stand alone, or as part of an introductory toolkit (which includes ISO17799 and ISO27001).
The latter provides various building blocks, as well as BS 7799 route maps, a presentation and other material.
Complying With BS7799
Achieving compliance with BS 7799 is a a substantial task. Assessing compliance levels for information systems, and then creating/implementing the necessary plans to become fully compliant, can by a very intensive process indeed. However, with the correct approach and method this effort can be minimized.
For more information on BS7799 and how to address its requirements, please do not hesitate to contact us.