A TÜV certification based on BS 7799 of your IT Security Management System (ISMS) leads to added value: You have security that you fulfill internationally recognized standards with approved requirements and establish a high degree of transparency and trust to both, your customers and your partners.

• About the Standard BS 7799
• Advantages of a BS 7799 certification
• The steps to BS 7799 certification
• Requirements for BS 7799 certification
• Getting started - an individual quotation from us

The standard BS 7799 contains a comprehensive set of best practices for IT security management and consists of two parts:

• The first part BS 7799-1 "Information security management. Code of practice for information security management" forms the reference model for an Information Security Management System (ISMS). The standard contains guidance for establishing an Information Security Management System (ISMS). BS 7799 has meanwhile reached the Status of an ISO-Standard and has been published as ISO/IEC 17799 (identical with BS 7799-1).
• The second part BS 7799-2 "Information security management. Specification with guidance for use" contains the requirements for effective application and documentation of an Information Security Management System (ISMS). BS 7799-2 is the basis for our assessment and certification.

• Security Policy
• Organizational Security
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• Systems development and maintenance
• Business continuity management
• Compliance (legal aspects, internal procedures, compliance with the standard itself)

top

• Effective security management system
• Market advantage through certificate issued by independent experts
• Cost reduction through transparent and optimized structures Security management is integrated in the business processes
• Measurement and control of IT related risks
• Documentation of security relevant structures and processes
• Staff with enhanced security consciousness
• Evaluated organizational processes with regards to IT security aspects
• Effective Business Continuity Management
• World wide accepted IT security system
• Likelihood of reduced costs for security related insurances
• Security-specific compliance with ITIL (Standard for IT Service Management)
• Integratability with ISO 9001:2001

top

Phase 1: Pre-Assessment
As part of a pre-assessment, we identify deficiencies and open issues within your existing IT security management process, which need to be identified and covered before a certification assessment can sensibly take place. The pre-assessment is not compulsory, however it is highly recommended in order to ensure an efficient certification process.

Phase 2: Certification Assessment
Once all deficiencies and open issues have been covered by your organization, our certification assessment will take place. As part of an intensive onsite-assessment by two of our experienced IT security assessors, we analyze all relevant areas within your organization. The goal of the certification assessment is to prove, that you have successfully implemented the IT security management as specified in BS 7799. The outcome of the assessment is a detailed assessment reports which details our findings. As far as deficiencies are identified, they need to be removed before the certification takes place.

Phase 3 : Certification
A soon as the assessment report is being issued and the assessment results are positive, this assessment report is being forwarded to our certification body and approved. The certificate will be processed and sent to you.

Phase 4: Follow Up Process
Annual re-assessments of your IT security management will be carried out in order to ensure that the achieved IT security level is being maintained and the certification statement.

top

• Completion of a risk analysis with analysis of threads and deficiencies as well as expectable extent of damageand likelihood of occurrence
• Establishment of a risk management system
• Establishment of a process for identification, control and cost-effective removal or minimization of risks

Furthermore, a complete Information Security Management System Documentation needs to be produced. Compliance with BS 7799 requires the following composition of documents:

• Security Policy
• Definition of the scope of the Information Security
• Management System and the implemented procedures
• Documentation of a systematic risk assessment
• Risk treatment plan to operationalize the security goals taking into account financial and personnel resources
• Documented procedures required by the organization to ensure the effective planning, operation and control of all information security processes
• Records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the Information Security Management System (e.g. visitors' books, audit records and authorization of access)
• Statement, specifying which required activities of BS 7799 have been found to be applicable / not applicable including the rationales.

On top of the BS 7799 specific documentation, our assessors require the following documents:

• Documentation of the activities of the management forum
• Documentation of responsibilities for the protection of individual assets and for the operation of specific security processes
• Documentation of a management authorization process for new information processing facilities
• Documentation of (process-)independent reviews of implemented measures
• Documentation of security aspects regarding sub contractors and outsourcing

top

In order to start an informed discussion with you, we are interested in the following information from your side:

• Name and address of your organization
• Your type of business
• Main business activities
• Number of branches
• Number of employees

Simply contact us, so we can accompany you on your way to become a cost-effective BS 7799 certified organization.