BSI revises standard for information security risk

03 January 2018

The BSI’s Anne Hayes says if ISO 27001 is the “bread and butter” of an infosec management system, then BS 7799-3 is the “knife to spread the butter”.

The BSI’s Anne Hayes says if ISO 27001 is the “bread and butter” of an infosec management system, then BS 7799-3 is the “knife to spread the butter”.

BSI has revised BS 7799-3, its guidance standard for information security risk management systems.

Notable changes include conformity to the latest version of ISO 2700, the internationally recognised standard which covers requirements for IT security techniques and infosec management systems. BS 7799-3 provides guidance on defining, applying, maintaining and evaluating risk management processes in ISO 27001’s infosec context.

Anne Hayes, the BSI’s head of market development for governance and resilience, says: “BS 7799-3 was revised to work hand-in-hand with ISO 27001 in assisting organisations in evaluating their risk management processes. If ISO 27001 is the bread and butter of an organisation’s information security management system, BS 7799-3 is the knife to spread the butter.”

Other revisions to the standard include the term ‘risk owner’ which replaces ‘risk asset owner’, and the effectiveness of the risk treatment plan is now regarded as being more important than the controls.

According to BSI, BS 7799-3 identifies two widely recognised approaches to risk identification and risk analysis: the scenario-based approach, where risks are identified (and assessed) through a consideration of events and their consequence; and the asset-threat-vulnerability approach, where risk identification takes into account the value of information assets and identifies applicable threats.

The business standards company recommends that for an organisation to increase the reliability of estimating the likelihood of a security event occurring, it should consider using: team assessments rather than individual ones; employing external sources, such as infosec breach reports; unambiguous targets, such as ‘two a year’ rather than vague targets and timings; and scales with at least five categories to ascertain risk, from ‘very low’ to ‘very high’.

BS 7799-3 also includes dedicated sections for infosec risk treatment, with guidance on how an organisation can monitor and measure its risk identification plan.

BSI adds that the standard is applicable to all users but will be of particular interest to governance, risk and compliance personnel, security managers, operational managers, auditors, and anyone responsible for implementing GDPR requirements.

GDPR: are you ready?