Hints and Tips
If you have implemented, audited or have any other serious experience with respect to ISO 17799 and/or BS7799, please add your own hints/tips below:

Aim to reach compliance with ISO 17799 and let the processes bed-down before considering certification against ISO 27001 (ex BS7799-2).

Stick to the plan (eg: as outlined in the Guide To Certification)

If you can undertake an implementation, compliance or certification task yourself, do so. In the long run you will obtain greater benefit by learning the ropes and performing activities such writing information security policies yourself. However, advice and guidance from knowledgeable and experienced consultants can help cut corners, save time and avoid pitfalls.

Be sure that you have explicit backing from the top, the very top, of your organization for your compliance and/or certification efforts, and indeed for information security as a whole. Be sure that senior management understands the objectives, benefits and likely costs of the implementation and certification project at the outset. This implies the need to achieve management awareness of information security at an early stage. Without this, the rest is more-or-less doomed to failure.

The benefits of compliance with ISO 17799 are not necessarily limited purely to better information security. Rigorous analysis and documentation of key information processing activities may identify opportunities to improve process efficiencies, for instance. The structured information security management framework incorporates elements of ISO 9000 quality assurance practices. Legal and regulatory compliance supports management's governance obligations and reduces liabilities.

Note that information security is not the same as computer security. All information assets need to be secured appropriately, including hardcopy documents, CCTV/videoconference data, telephone systems etc. as well as computer data, systems and networks.

Once information security is brought under management control, continuous improvement is possible. Over time, information security and related processes will mature and things you can only dream of today will eventually become a reality. Have faith!

Don't forget security awareness. See ISO 17799 and information security awareness

Getting the RiskAssessment right is crucial to the success of implementation. The structure of the risk assessment is clearly outlined in ISO27001 and should be followed very closely. The fourth point above indicates how important the management commitment element is. Part of that commitment is to give approval the risk assessment process and define the levels of risk which are to be accepted, mitigated, transferred or avoided. They must also approve the residual risks following impementation of the selected controls.

Recently Changed
Certification (ages ago)
risk treatment plan (ages ago)
Spanish (ages ago)