Information Security Risk Management Handbook for ISO/IEC 27001 Edward Humphreys I n form ati on Secu ri ty Ri sk M an agem en t Handbook for ISO/IEC 27001 I n form ati on Secu ri ty Ri sk M an agem en t Handbook for ISO/IEC 27001 Edward Humphreys First published in the UK in 2010 by BSI 389 Chiswick High Road London W4 4AL © British Standards Institution 2010 All rights reserved Except as permitted under the Copyright, Designs and Patents Act 1988, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior permission in writing from the publisher Whilst every care has been taken in developing and compiling this publication, BSI accepts no liability for any loss or damage caused, arising directly or indirectly in connection with reliance on its contents except to the extent that such liability may not be excluded in law Whilst every efort has been made to trace all copyright holders, anyone claiming copyright should get in touch with BSI at the above address BSI has no responsibility for the persistence or accuracy of URLs for external or third-party internet websites referred to in this book, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate Te right of Edward Humphreys to be identifed as the author of this Work has been asserted by him in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988 Typeset in Caslon Pro and Franklin Gothic by Monolith – http://www.monolith.uk.com Printed in Great Britain by Berforts, www.berforts.co.uk British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library ISBN 978-0-580-60745-5 Con ten ts I n trod u cti on 1.1 Importance of risk management 1.2 Risk focused strategy 1.3 Risk process 1.4 Target audience N atu re of th e I nform ati on Secu ri ty Ri sk Lan d scape 2.1 Risk – what is it? 1 2 5 Defnitions A world o f risk Risk attitudes Pure versus speculative risks Static versus dynamic risks 2.2 Risk factors 2.3 Corporate risks 11 3 11 2.4 Corporate governance In formation security governance 12 Organizational risks 14 14 General 2.5 People risk 15 2.6 Operational risk 17 6 2 6 17 2.7 Risk within the scope o f business operations Externally- facing operational processes Internally- facing operational processes In formation security and operational risks IT risk and IT governance 18 18 19 19 v Information Security Risk Management Risk Management Framework 22 3.1 Risk management 22 3.2 Information security risks in the organizational context 23 3 2 3 23 3.3 3.4 24 Risk management process and approach 24 24 Risk management process Risk approach 25 Risk measures 26 4 26 Risk parameters Levels o f risk acceptance Residual risk 27 27 3.5 Accountability and ownership 28 3.6 Implementation of risk management 28 3.7 Delivering in formation security governance Risk management project and team Awareness and competency Critical success factors Risk management funding 28 29 29 30 31 Risk Assessment 33 4.1 Assessment process 33 4.2 Asset identi f cation 34 4 2 34 4.3 4.4 4.5 4.6 vi 23 3 3 6 3 4 Business case Scope o f the ISMS ISMS policy Objective Guidance 34 Identi f cation of legal and business requirements 35 4 35 Objective Guidance 35 Asset valuation 36 4 4 36 Objective Guidance 36 Identi f cation and assessment of threats and vulnerabilities 42 5 42 Objective Guidance 42 Assessment of the threats and vulnerabilities 43 6 43 Objective Guidance 44 Contents 4.7 4.8 46 7 46 46 Risk calculation and evaluation 47 8 47 Objective Guidance 47 51 5.1 Objective 51 5.2 Decision-making 51 5 2 51 Decision factors Costs and benefts Return on investment (ROI) 53 54 Treatment options 56 5 3 5 56 Reduce the risk Knowingly and objectively accept the risk Trans fer o f the risk Avoid the risk Residual risk 57 58 59 59 System of Risk Controls 60 6.1 Selection of risk controls 60 1 60 6.2 Objective Selection guidance 60 Implementation of risk controls 73 6 2 73 6 6 Objective Guidance Risk Treatment 5.3 Impact value Objective Implementation guidance Incident handling process, disaster recovery and business continuity Technical controls Training and awareness Measurement programme 73 74 78 79 81 Risk Monitoring and Reviews 83 7.1 Ongoing security risk management 83 7.2 Risk reviews and reassessments 85 7 2 85 General Risk management process reporting and review Inputs into the risk re-assessment 86 86 vii Information Security Risk Management 7 7 7 10 7.3 7.4 7.5 Monitoring system and resource usage Monitoring and review of external services Monitoring system of controls 100 8.1 8.2 100 100 100 101 102 102 102 104 104 104 105 105 105 8.3 Non-conformities Corrective and preventive actions 8.4 Objective Case studies Ensure that the improvements achieve their intended objectives 8 8.5 Objectives Implementation guidance Implement the identi f ed improvements in the ISMS 8 Objective Implementation guidance Communicate the actions and improvements 8 Objective Communication plan Docu m en tati on System 107 9.1 9.2 107 107 108 109 110 112 113 General Risk report 9 2 9 9.3 10 Risk register Statement o f Applicability Case study Risk treatment plan Electronic documentation system Au d i ts and Revi ews 114 10.1 10.2 114 115 115 116 Internal ISMS audits External ISMS audits 10 General 10 2 Players viii 87 87 88 89 91 92 93 96 98 99 Ri sk Control I mprovem ents 8 2 In formation security incident management ISMS measurements Internal and external ISMS audits Business impact analysis (BIA) Management reviews Feedback and involvement ISMS changes Contents 10.3 11 Audit process 117 10 10 10 3 10 117 Scope o f audit Audit stages Documents Audit report and award o f certifcate 117 120 120 Standards 122 11.1 General 122 11.2 Security controls 122 11.3 Risk management 123 11.4 Information security measurements 123 11.5 ISMS auditing 124 11.6 Training and awareness 125 11.7 Incident handling 125 11.8 Services, applications and service management 125 11.9 Business continuity, disaster recovery and ICT preparedness 126 11.10 Harmonization of management system standards 128 Annex A Def nitions 129 Annex B Examples of legal and regulatory compliance 136 Annex C Examples of assets, threats, vulnerabilities and risk assessment methods 141 Annex D Risk management tools 153 Bibliography 155 ix Annex C Examples of assets, threats, vulnerabilities and risk assessment methods • falsi • fcation of records; f • operational support sta error; fre; • power • fooding; • security failure; • fraud; • software failure; • hardware failure; • system failure; • hurricanes; • system misuse (accidental or • illegal import/export of software; • illegal use of software; • industrial action; • information leakage; • information security incidents; • interception; • interference; fuctuation; deliberate) ; • theft; • tornadoes • unauthorized access; • unauthorized access to audit logs; • unauthorized access to audit tools; • unauthorized modi fcation of audit logs; • interruption to business activities and processes; • unauthorized or unintentional modi • fcation; introduction of unauthorized or untested code; • lightning; • loss of integrity; • loss of records; • loss of service; • maintenance error; • malfunctions of supporting utilities; • malicious code; • masquerading of user identity; • misuse of audit tools; • unauthorized physical access; • unauthorized use of IPR material; • unauthorized use of software; • unavailability; • unsuccessful changes; • use of network facilities in an unauthorized way; • • misuse of information processing facilities; • misuse of resources or assets; • network access by unauthorized persons; use of software by unauthorized users; • use of software in an unauthorized way; • user error; • vandalism; • violation of intellectual property rights; • wilful damage 143 Information Security Risk Management Depending on the type of threat, its occurrence could result in a number of di f • erent outcomes, such as: accidental or unintended changes to software and data-sharing facilities in a computing environment; • breach of security as a result of non-compliance with operational procedures; • breach of security as a result of inaccurate, incomplete or inappropriate operating procedures or the de fnition of responsibilities, or insufcient updating of such procedures; • breach of security as a result of non-compliance with incident handling procedures; • compromise, damage or loss of data at a contractor’s site; • damage caused by inaccurate, incomplete or inappropriate continuity plans, insu f cient testing or insu f cient updating of plans; • denial of service, system resources, information; • email bombs; • forgery; • fraud; • negligent or deliberate misuse of facilities as a result of lack of segregation and execution of duties; • unauthorized disclosure of the location of sites/buildings/o f ces containing critical and/or sensitive computing and processing facilities; • unauthorized disclosure of information C Th reat exampl es an d I SO/I EC 27 001: 2005 Te following illustrates by example how the various threats given earlier in this annex relate to selected control obj ectives given in ISO/IEC 27002: 2005 C   S e c u r e Ph ysica l  a n d  en viro n m en ta l  s ecurity a r e a s Objective: To prevent unauthorized physical access, damage, and interference to the organization’s premises and information Critical or sensitive information processing facilities should be housed in secure areas, protected by de perimeters, with appropriate security barriers and entry controls NOTE 144 Tis corresponds to ISO/IEC 27001:2005, Annex A.9 fned security Annex C Examples of assets, threats, vulnerabilities and risk assessment methods Te following threats relate to this obj ective: • bomb attack; • earthquake; • environmental contamination (and other forms of natural or man-made disasters); • fre; • fooding; • hurricane; • industrial action; • interference; • theft; • unauthorized physical access; • wilful damage E q u i p m e n t s e c u r i t y Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities Equipment should be protected from physical and environmental threats NOTE Tis corresponds to ISO/IEC 27001:2005, Annex A.9 Te following threats relate to this obj ective: • airborne particles/dust; • information leakage; • air conditioning failure; • interception; • bomb attack; • interference; • dust; • interruption of activities; • environmental contamination (and • lightning; • maintenance errors; • malfunctions of supporting utilities; • malicious code; • power • theft; • unauthorized physical access; other forms of natural or man-made disasters) ; • eavesdropping; • failure of supporting utilities (such as electricity, water supply, sewage, heating, ventilation, and air- conditioning) ; fuctuation; • fre; • vandalism; • fooding; • wilful damage • hardware failure; 145 Information Security Risk Management C.4.2  Communications  and  operations  management O p e r a t i o n a l p r o c e d u r e s a n d r e s p o n s i b i l i t i e s Objective: To ensure the correct and secure operation of information processing facilities Responsibilities and procedures for the management and operation of all information processing facilities should be established NOTE Tis corresponds to ISO/IEC 27001:2005, Annex A.10.1 Te following threats relate to this obj ective: • disclosure of information; • theft of information; • unauthorized access; • unauthorized or unintentional modi • unauthorized changes to operational systems; • unsuccessful changes to operational systems; • fraud; • scams; • social engineering attacks; • introduction of unauthorized or untested code; • attack by malicious code; • masquerading of user identity; • misuse of resources or assets; • operational support sta • software failure; • system misuse (accidental or deliberate) ; • system failures, overloads and downtimes; • use of software by unauthorized users; • use of software in an unauthorized way; • user errors, mistakes, bad j udgements; • wilful damage or harm to operational systems 146 f fcation; error; Annex C Examples of assets, threats, vulnerabilities and risk assessment methods I n f o r m a t i o n s e c u r i t y a s p e c t s o f b u s i n e s s c o n t i n u i t y m a n a g e m e n t Objective: To counteract interruptions to business activities and to protect critical business processes from the e f ects of maj or failures of information systems or disasters and to ensure their timely resumption A business continuity management process should be implemented to minimize the impact on the organization and recover from loss of information assets NOTE Tis corresponds to ISO/IEC 27001:2005, Annex A.14.1 Te following threats relate to this obj ective: • acts of terrorism; • disasters (natural or man-made) ; • destruction of the business continuity plans; • errors; • equipment failure; • fre; • information security incidents; • interruption to business activities and processes; • lack of business continuity tests; • lack of reviews and updating of business continuity plans; • loss of services; • security failures; • system failures; • threats to the environment; • threats to operational systems; • threats to communication systems; • unavailability C   C o m p Co m p lia n ce l i a n c e w i t h l e g a l r e q u i r e m e n t s Objective: To avoid breaches of any law, statutory, regulatory or contractual obligation, and of any security requirement Te design, operation, use and 147 Information Security Risk Management management of information systems may be subj ect to statutory, regulatory, and contractual security requirements Tis corresponds to ISO/IEC 27001:2005, Annex A.15 NOTE Te following threats relate to this obj ective: • breaches of contractual obligations; • breach of legislation or regulations; • destruction of records; • deterioration of archived material and the media used for archiving; • falsi • illegal import/export of software; • illegal use of software; • loss of records; • misuse of information processing facilities; • unauthorized access; • unauthorized use of IPR material; • unauthorized use of software; • use of network facilities in an unauthorized way; • violation of intellectual property rights C o m p l fcation of records; i a n c e w i t h s e c u r i t y p o l i c i e s a n d s t a n d a r d s , a n d t e c h n i c a l c o m p l i a n c e Objective: To ensure compliance of systems with organizational security policies and standards Te security of information systems should be regularly reviewed NOTE Tis corresponds to ISO/IEC 27001:2005, Annex A.15.2 Te following threats relate to this obj ective: • compromise of security policy; • damage caused by penetration tests; • failure of communications services; • misuse of resources; • network access by unauthorized persons; 148 Annex C Examples of assets, threats, vulnerabilities and risk assessment methods • illegal import/export of software; • illegal use of software; • malicious code; • theft; • unauthorized access; • unauthorized use of software; • use of network facilities in an unauthorized way; • wilful damage I n f o r m a t i o n s y s t e m s a u d i t c o n s i d e r a t i o n s Objective: To maximize the efectiveness of, and to minimize interference to or from, the information systems audit process Tere should be controls to safeguard operational systems and audit tools during information systems audits NOTE Tis corresponds to ISO/IEC 27001:2005, Annex A.15.3 Te following threats relate to this obj ective: • damage caused by third parties; • disclosure of passwords; • disruption to business processes; • interference to or from the audit process; • loss of integrity; • misuse of audit tools; • unauthorized access to audit logs; • unauthorized access to audit tools; • unauthorized modi C fcation of audit logs Vu l n erabi l i ty exam pl es an d I SO/I EC 27 001: 2005 Te following lists give examples of vulnerabilities in various security areas, including examples of threats which might exploit these vulnerabilities Te lists can provide help during the assessment of vulnerabilities It is emphasized that other threats could also exploit these vulnerabilities 149 Information Security Risk Management Human resources security (ISO/IEC 27001:2005, Annex A 8) Te vulnerability could be: f • insu cient user training and awareness; • lack of operational support; • lack of security awareness – user errors; • lack of monitoring mechanisms – use of software in an unauthorized way; • lack of policies for the correct use of telecommunications media and messaging – use of network facilities in an unauthorized way; • no removal of access rights upon j ob termination – unauthorized access; • no procedure to ensure return of asset upon j ob termination – theft; • unmotivated or disgruntled sta • f – misuse of information processing facilities; f unsupervised work by outside sta or sta f working outside normal business hours – theft; • user errors Physical and environmental security (ISO/IEC 27001:2005, Annex A 9) Te vulnerability could be: f • inadequate or careless use of physical access control to buildings, rooms and  o • wilful damage; • lack of physical protection for the building, doors, and windows – theft; • location in an area susceptible to • unprotected storage – theft; • insu • lack of periodic equipment replacement schemes – deterioration of storage media; • susceptibility of equipment to humidity, dust, soiling, airborne particles/dust; • susceptibility of equipment to temperature variations and extremes of f fooding; cient maintenance/faulty installation of storage media – maintenance errors; temperature; • susceptibility of equipment to voltage variations and power • unstable power grid power 150 ces; fuctuation fuctuation; Annex C Examples of assets, threats, vulnerabilities and risk assessment methods Communications and operations management (ISO/IEC 27001:2005, Annex A 10) Te vulnerability could be: f • complicated user interface – operational sta error; • disposal or reuse of storage media without proper erasure – unauthorized access to information; • inadequate change control – security failure; • inadequate network management – tra • lack of backup procedures – loss of information; • lack of proof of sending or receiving a message – repudiation; • lack of updates for malicious code protection – software virus infection; • no segregation of duties – system misuse (accidental or deliberate) ; • f c overloading; no separation of test and operational facilities – unauthorized modi fcation of operational systems; • uncontrolled copying – theft; • unprotected public network connections – use of software by unauthorized users Access control (ISO/IEC 27001:2005, Annex A 11) Te vulnerability could be: • inappropriate segregation of networks – unauthorized connections in networks; • lack of clear desk and clear screen policy – loss of or damage to information; • lack of identi fcation and authentication mechanisms such as user authentication – masquerading of user identity; • lack of protection of mobile computing equipment – unauthorized access to information; • no, or incorrect, access control policy – unauthorized access to information, systems or software; • no ‘ logout’ when leaving the workstation – use of software by unauthorized users; • no, or insu • f cient, software testing – use of software by unauthorized users; no review of user access rights – access by users who have left the organization or changed j obs; 151 Information Security Risk Management • poor password management (easily guessable passwords, storing of passwords, insu • f cient frequency of change) – masquerading of user identity; default factory accounts and passwords are not disabled or changed – unauthorized access to information, systems or software; • uncontrolled use of system utilities overriding system or application controls In formation systems acquisition, development and maintenance (ISO/IEC 27001:2005, Annex A 12) Te vulnerability could be: • • inappropriate protection of cryptographic keys – disclosure of information; incomplete policy on the use of cryptography – breach of legislation or regulations; • lack of control of input or output – data error; • lack of validation of processed data – corruption of information; • no, or insu • poorly documented software – operational support sta • unclear or incomplete speci • uncontrolled downloading and using software, malicious software; • uncontrolled use of shareware/freeware for corporate applications; • legal liability; • well known • incorrect selection of test data – unauthorized access to personal data 152 f cient, software testing – use of software by unauthorized users; f error; fcations for developers – software failure; faws in the software – use of software by unauthorized users; Annex D Risk management tools General A variety of methods exist for undertaking risk assessment and risk management reviews ranging from simple question-and-answer checklist-based approaches (that nonetheless address business risks, and are not mere compliance checklists) through to structured analysis-based techniques Tere are many commercially available tools which can be used to assist the assessment process Tese include both automated (computer assisted) and manual products Whatever methods or products are used by the organization, they should at least address the risk components, relationships between the components, and processes, as described in Chapters and Once a risk assessment review has been completed for the frst time, the results of the review (assets and their values, security requirements and risk levels, and identi fed controls) should be stored and documented, for example, in a database S oftware support tools can make this activity, and any future reassessment activity, much easier Another important aspect that should not be overlooked is that users need appropriate training in the use of risk management tools Selecting a risk management tool Te following list gives a few ideas of criteria to be considered when selecting a risk assessment tool Te tool should at least contain modules for: • data collection; • analysis; • output of results Te method upon which the selected tool works and functions should re fect the organization’s policy and overall approach to risk assessment 153 Information Security Risk Management E f ective reporting of the results of risk assessment is an essential part of the process if management are to weigh the alternatives and make an appropriate, reliable and cost- e f ective selection of controls Terefore, the tool should be capable of reporting the results in a clear and accurate manner Te ability to maintain a history of the information collected during the data collection phase, and of the analysis, is useful in subsequent reviews or queries Documentation describing the tool is essential for its e f ective use and should be  available Te tool selected should be compatible with the hardware and software in use in the organization Automated tools are generally e di f f cient and error free, but some can be more cult to install or learn It might be necessary, therefore, to consider the availability of training and support for the tool Te e f ective use of the tool depends, in part, on how well the user understands the product and whether it has been installed and fgured correctly: the availability of guidance on installation and use might be essential 154 Bibliography Legislation [1] UNI TED S TATES OF AMERICA Federal Information Security Management Act of 2002 Washington: Government Printing O fce [2] UNI TED S TATES OF AMERICA Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001 Washington: Government Printing O fce [5] GREAT BRI TAIN Companies (Audit, Investigation and Community Enterprise) Act 2004 London: Te Stationery O fce [6] UNI TED S TATES OF AMERICA Sarbanes-Oxley Act of 2002 Washington: Government Printing O fce [7] GREAT BRI TAIN Computer Misuse Act 1990 London: Te Stationery O fce [8] EUROPEAN COMMUNI TIES 1999/93/EC Council Directive of 13 December on a Community Framework for Electronic Signatures Luxembourg: O fce for O fcial Publications of the European Communities, 1999 [9] EUROPEAN COMMUNI TIES Directive 97/7/EC of the European Parliament and of the Council of 20 May 1997 on the protection of consumers in respect of distance contracts Luxembourg: O fce for O fcial Publications of the European Communities, 1997 [10] EUROPEAN COMMUNI TIES 2002/58/EC Directive of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) Luxembourg: O fce for O fcial Publications of the European Communities, 2002 155 Information Security Risk Management [11] UNI TED S TATES OF AMERICA Code of Federal Regulations: Title  21: Food and Drugs, Part 11: Electronic Records, Electronic Signatures (21CFR11) Washington: Government Printing O fce [12] 95/46/EC Directive of the European Parliament on the protection of individuals with regard to the processing of personal data and on the free movement of such data Luxembourg: O fce for O fcial Publications of the European Communities, 1995 [13] CANADA Personal Information Protection and Electronic Documents Act  2000 [14] UNI TED S TATES OF AMERICA Gramm-Leach-Bliley Act of 1999 Washington: Government Printing O fce [15] UNI TED S TATES OF AMERICA Health Insurance Portability and Accountability Act of 1996 Washington: Government Printing O fce [16] UNI TED S TATES OF AMERICA California Senate Bill No.1386 California Security Breach Information Act Washington: Senate Printing and Document Services, 2002 [17] UNI TED S TATES OF AMERICA Children’s Online Privacy Protection Act of 1998 Washington: Government Printing O fce [18] UNI TED S TATES OF AMERICA Family Educational Rights and Privacy Act of 1974, as amended Washington: Government Printing O fce [21] EU–USA Safe Harbor Agreement regarding compliance by US companies with the EU Directive 95/46/EC on the protection of personal data Books and articles [3] Te Institute of Chartered Accountants in England and Wales, 2005 Internal Control: Guidance for Directors on the Combined Code [4] Financial Services Authority Financial Services Authority (FSA) Handbook London: FSA, 2005 [19] OECD Guidelines for the Security ofInformation Systems and Networks: Towards a Culture ofSecurity, Paris: OECD, 2002 [20] OECD Principles ofCorporate Governance, Paris: OECD, 2004 [22] E J Humphreys, Implementing the ISO/IEC 27001 Information Security Management System Standard, Artech House Publishers, (2007) [23] ISO Publication – ISO/IEC 27001 Information Security Management Systems: An easy-to-use guide for the small business (2010) 156 The focus of this book is based around the concept of having an information security management system (ISMS) as a framework for achieving effective management of information security risks International standard ISO/IEC 27001 is a world-recognised standard for establishing, implementing, monitoring, reviewing, updating and improving an ISMS ISO/IEC 27005 is an ISMS risk management standard that supports the implementation of ISO/IEC 27001 This book staff involved in ISMS risk is aimed at those business managers and sta management activities It is a practical handbook for the use and application of ISO/IEC 27005 It provides guidance and advice to specifically support the implementation of those requirements specified in ISO/IEC 27001 :2005 that relate to risk management processes and associated activities Edward Humphreys (Chartered Fellow of the BCS - FBCS CITP, CISM) has been providing information security management and risk management consultancy services around the world for more than 35 years During this time he has worked for major international companies and governments (in Europe, North America and Asia), as well organisations such as the European Commission, ENISA and the OECD He is the editor of BS 7799 Part :1 999, ISO/IEC 7799:2000, the 999 and 2002 editions of BS 7799 Part the ISMS standard and the EA 7/03 the ISMS accreditation guidelines (which has now become ISO/IEC 27006) He is the Founder and Director of the ISMS International User Group and is responsible for the International Register of BS 7799/ISMS Certificates In 2002 he was honoured with the Secure Computing Lifetime Achievement Award for his work on ISMS standards and certification He has international recognition as the ‘father’ of the ISO/IEC 27000 family of ISMS standards BSI order ref: BIP 0076 BSI Group Headquarters 389 Chiswick High Road London W4 4AL www.bsigroup.com (Chartered Fellow of the BCS - FBCS CITP, CISM) has been providing information security management and risk management consultancy services around the world for more than 35 years During this time he has worked for major international companies and governments (in Europe, North America and Asia), as well organisations such as the European Commission, ENISA and the OECD He is the editor of BS 7799 Part :1 999, ISO/IEC 7799:2000, the 999 and 2002 editions of BS 7799 Part the ISMS standard and the EA BSI Group Headquarters 389 Chiswick High Road London W4 4AL www.bsigroup.com The British Standards Institution Hand book for ISO/IEC 27001 The British Standards Institution is incorporated by Royal Charter