Distributed by BSI British Standards, this CDROM provides you with a userfriendly guide to disability access. It offers a stepbystep solution to help your organization meet the requirements of the Disability Discrimination Act, which came into force on 1 October 2004. The guide will:provide necessary guidance and best practicemanage actions and reviewselfbuild your compliance manualsreport on ‘gaps’ in your systemintegrate with existing documentationsystemsallow flexible reporting options including export to PDF.
PD 3003:2002 Are you ready for a BS 7799 Part Audit A compliance assessment workbook Whilst every care has been taken in developing and compiling this Published Document, BSI accepts no liability for any loss or damage caused, arising directly or indirectly, in connection with reliance on its contents except to the extent that such liability may not be excluded by law Information given on the supply of services is provided for the convenience of users of this Published Document and does not constitute an endorsement by BSI of the suppliers named © British Standards Institution 2002 Copyright subsists in all BSI publications Except as permitted by Copyright, Designs and Patents Act 1998, no extract may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior permission in writing from BSI If permission is granted, the terms may include royalty payments or a licensing agreement Details and advice can be obtained from the Copyright manager, BSI, 389 Chiswick High Road, London W4 4AL, UK “Are you ready for a BS 7799 Part Audit?” “Are you ready for a BS 7799 audit?” A compliance assessment workbook This revision has been edited by: Ted Humphreys (XiSEC Consultants Ltd) Dr Angelika Plate (AEXIS Security Consulting) “Are you ready for a BS 7799 Part Audit?” “Are you ready for a BS 7799 Part Audit?” Contents INTRODUCTION 1.1 Scope of this guide 1.2 Use of the standards 1.3 Companion guides 2 IDENTIFYING THE ISMS SCOPE HOW TO USE THIS GUIDE 3.1 ISMS Process Requirements 3.2 Control requirements ISMS PROCESSES WORKBOOK (ASSESSMENT OF ISMS PROCESS REQUIREMENTS) GAP ANALYSIS WORKBOOK (ASSESSMENT OF DETAILED CONTROLS) 36 “Are you ready for a BS 7799 Part Audit?” INTRODUCTION This document is one of a set of five guides published by DISC to support the use and application of ISO/IEC17799: 2000 and BS 7799 Part 2: 2002 Other guides include: • Preparing for BS 7799 certification (PD 3001) - Guidance on implementation of ISMS process requirements to organizations preparing for certification • Guide to BS 7799 Risk Assessment (PD 3002) - Guidance aimed at those responsible for carrying out risk management • Guide to the implementation and auditing of BS 7799 controls (PD 3004) - Guide to the implementation and auditing of BS 7799 controls • Guide on the selection of BS 7799 Part controls (PD 3005) This guide is intended primarily for use by organizations wishing to carry out internal compliance checks of their information security management system (ISMS) against the BS 7799-2:2002 standard For this purpose it is recommended that the compliance assessments specified in this guide are carried out under the supervision of the person responsible for information security in the organization or by internal audit staff System developers may also find it a useful reference document when considering the security aspects of new systems This guide is intended to aid compliance not to define or specify it 1.1 Scope of this guide This guide provides a means to help organizations to test the compliance of their ISMS with the requirements of BS 7799-2:2002 using the following check lists: • ISMS process check workbook to assess the ISMS compliance with the process requirements given in clauses to in BS 7799-2:2002 • Gap analysis check workbook to assess and record the extent of ISMS compliance with the control requirements laid down in Annex A of BS 7799-2:2002 The gap analysis check is purely a means to confirm what controls are in place in accordance with the requirements specified in BS 7799-2:2002 Where particular control requirements are not fully satisfied, organizations need to document the reasons why control requirements have not been met Auditors qualified to carry out assessments to BS 7799 Part will expect, amongst other things, to be able to question such reasons and supporting justification Please note that this guide is only informative and is not a definitive measure or definition of compliance with BS 7799 Part Page “Are you ready for a BS 7799 Part Audit?” Organizations may use the gap analysis to make an informal assessment of their compliance with BS 7799 Part prior, for example, to having an internal ISMS audit or a 2nd party audit carried out by a customer For accredited certification the gap analysis has no formal status and cannot be taken to form an approved Statement of Applicability (SoA) as it does not meet the SoA requirements defined in BS 7799-2:2002 It does not replace the formal assessment route associated with Part and the PDCA process requirements for establishing, implementing and maintaining an ISMS The ISMS process check is a means to confirm that the organization has a set of systems and processes in place to satisfy the requirements specified in BS 7799-2:2002 This check should be applied by organizations preparing for accredited certification, as well as by those preparing for post-certification activities such as surveillance audits and for re-certification It is a means of being able to check how many activities have been carried out and how many are still to be undertaken This check does not indicate how well or effective the activities have been, or how correct and effective the implementation of the system of controls is 1.2 Use of the standards This guide makes reference to the following standards: ISO/IEC 17799:2000 (previously BS 7799-1:1999) - a code of practice that identifies control objectives and controls and provides common practice advice for the implementation of these controls BS 7799-2:2002 - is the specification for an information security management system This standard is used as the basis for accredited certification This guide will be updated following any changes to these standards Organizations must therefore ensure that the correct version is being used for compliance checks related to precertification, certification and post-certification purposes 1.3 Companion guides Additional guides are available which provide a more detailed interpretation of the ISO/IEC 17799 and BS 7799 Part standards and practical development advice, i.e guidance on risk assessment and guidance on the selection of controls IDENTIFYING THE ISMS SCOPE It is important both for the organization whose ISMS is being assessed and for the auditors’ understanding of the ISMS, that the scope of the ISMS is defined clearly and unambiguously Page “Are you ready for a BS 7799 Part Audit?” Given the complexity of many business applications and processes, as well as the growth of information systems, IT and networking there are many possible ways in which boundaries may be drawn around an ISMS Similarly the size of organization and its geographical spread will influence the view of what is a suitable scope of the ISMS It is very rare that business systems and processes work in isolation or are self-contained, as they will have interfaces with other systems Therefore in defining the scope of the ISMS any interfaces with other systems and processes outside the ISMS boundary need to be taken into consideration Guidance on the identification and definition of the ISMS scope is given in the User Guide (PD 3001) which expands on the definition given in BS 7799-2:2002 This describes the ISMS scope in terms of the organization, its location, assets and technology This should be interpreted to include the information assets, business processes and applications, as well as the technology being used Although these elements need not be defined in any great detail, it is important that all significant assets are identified HOW TO USE THIS GUIDE The aim of the guide is to allow organizations to assess the extent of their ISMS compliance with the requirements specified in BS 7799-2:2002 This section tells you how to prepare for and complete the compliance check The major component of the compliance check itself is carried out through a questionnaire process The form and content of the control requirement compliance check questionnaires is described and a sample-completed questionnaire is shown in section 3.3 The actual compliance check is contained in sections and of this guide: • Section ISMS Processes Workbook - The compliance check of ISMS process requirements This covers establishing that the prerequisite processes and measures defined Clauses to of BS 7799-2:2002 are in place; and • Section Gap Analysis Workbook - The compliance check of detailed controls from Annex A of BS 7799-2 This covers the identification of what controls are in place and the extent to which they are in place Additionally, a possibility is given to document the reasons behind any non-implementation of controls, and to explain the rationale for implementing controls, e.g where this has been done in a non-standard manner Page “Are you ready for a BS 7799 Part Audit?” 3.1 ISMS Process Requirements Introduction The compliance check on the ISMS processes covers those set of processes defined in BS 7799-2:2002 based on the PDCA model This set of processes covers an on-going cycle of activities aimed at establishing effective information security management through a programme of continual improvement Amongst other things the ISMS processes addresses the assets to be protected, a systematic approach to risk management, the selection of a system of controls and the other processes used to implement and maintain an ISMS according to the PDCA model (see clause of BS 7799-2:2002 for details): • Plan (processes to establish the ISMS) • Do (processes to implement and operate the ISMS) • Check (processes to monitor and review the ISMS) • Act (processes to maintain and improve the ISMS) The ISMS system of controls should be implemented effectively and should be monitored and reviewed regularly to ensure their continuous effectiveness; appropriate documentation in support of this should be in place, up to date, accurate and available for inspection and reference; and appropriate records should be maintained to demonstrate continuing compliance with BS 7799: Part The certification audit process will ensure that the organization has a set of processes in place to cover the above objectives and the post certification audits will need to check these are maintained to ensure continuing compliance Section of this guide considers these process requirements Check Lists There are two basic questions and these may be addressed to each of the process requirements The questions are: Q1 - Is a relevant process in place to satisfy the prescriptive “shall” requirement in clauses to of BS 7799 Part 2? Three answers are possible: • Yes – there is process in place, which completely fulfil the requirement Some explanation may be required justifying this answer - see “comments” below Page “Are you ready for a BS 7799 Part Audit?” • Partly – a process is in place, which address the requirement but not sufficiently to allow an answer of YES • No - there is no process in place to address the requirement Q2 - If the requirement has either not been implemented on only partially implemented, why not? It will be important to understand the reasons and justification for partial or nonimplementation 3.2 Control requirements Introduction Annex A of BS 7799-2:2002 contains the detailed control requirements under ten general headings This guide presents each of the control requirements in question form and allows organizations to indicate: • Whether the requirement has been implemented; • Whether the requirement has been partially or not fully implemented and the reason(s) and justification why; • Whether the requirement has not been implemented at all and the reason(s) and justification why It should be understood that reasons for non-implementation may not necessarily be seen as sufficient justification by external auditors whose task is to assess the ISMS to BS 7799: Part Organizations may wish to further refine the process defined in this guide with more detailed questions per control requirements within each general category This might be necessary to completely assess all details of a specific control implementation in place in an organization Due to the number of controls, this might be a work intense task, but will lead to a thorough assessment of the implementation status In addition, such a questionnaire can be used in several stages of the PDCA process Introduction There are two basic questions and these may be addressed to each control requirement The questions are: Q1 - Has this control requirement been implemented? Three answers are possible: Page “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.9 Access control A.9.4 Network access control Objective: Protection of networked services Q1 Implementation status Tick one box for each control requirement Control requirement A.9.4.1 Are users only permitted direct access to the services that they are specifically authorized to use? A.9.4.2 Is the path from the user terminal to the computer service controlled? A.9.4.3 Is access by remote users subject to an authentication check? A.9.4.4 Are connections to remote computer systems authenticated? A.9.4.5 Is access to diagnostic ports securely controlled? A.9.4.6 Are controls in place in networks to segregate groups of information services, users and information systems? Yes Partly No A.9.4.7 Is the connection capability of users in shared networks restricted in line with the access control policy? A.9.4.8 Do shared networks have routing controls to ensure that computer connections and information flows not breach the access control policy of the business applications? A.9.4.9 Has a clear description been obtained and documented of the security attributes of all network services been provided? Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 A.9.4.6 A.9.4.7 A.9.4.8 A.9.4.9 Page 61 “Are you ready for a BS 7799 Part Audit?” COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 62 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.9 Access control A.9.5 Operating system access control Objective: To prevent unauthorized computer access Q1 Implementation status Tick one box for each control requirement Control requirement A.9.5.1 Are terminals automatically identified to authenticate connections to specific locations and to portable equipment? A.9.5.2 Is access to information services via a secure logon process? A.9.5.3 Are users provided with a unique identifier (user ID) for their personal and sole use so that activities are traceable to individuals and has a suitable authentication technique been chosen to substantiate the claimed identity of a user? A.9.5.4 Are password management systems in place that provide an effective, interactive facility for the provision of quality passwords? A.9.5.5 Is the use of system utility programs restricted and tightly controlled? A.9.5.6 Are duress alarms provided for users who might be the target of coercion? A.9.5.7 Are there procedures and mechanisms in place to ensure that inactive terminals in high-risk locations or serving high-risk systems will shut down after a defined period of inactivity to prevent access by unauthorized persons? A.9.5.8 Are there restrictions on the connection times to highrisk applications to provide additional security? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.9.5.1 A.9.5.2 A.9.5.3 A.9.5.4 A.9.5.5 A.9.5.6 A.9.5.7 A.9.5.8 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 63 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.9 Access control A.9.6 Application access control Objective: To prevent unauthorized access to information held in information systems Q1 Implementation status Tick one box for each control requirement Control requirement A.9.6.1 Is access to information and application system functions restricted in accordance with the access control policy? A.9.6.2 Do sensitive systems have a dedicated (isolated) computing environment? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.9.6.1 A.9.6.2 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 64 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.9 Access control A.9.7 Monitoring system access and use Objective: To detect unauthorized activities Q1 Implementation status Tick one box for each control requirement Control requirement Yes A.9.7.1 Are audit logs produced to record exceptions and other security-relevant events and are these retained for an agreed period to assist in future investigations and access control monitoring? A.9.7.2 Are there procedures established for monitoring the use of information processing facilities and are the results of the monitoring activities reviewed regularly? A.9.7.3 Are all computer clocks synchronized for accurate recording? Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.9.7.1 A.9.7.2 A.9.7.3 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 65 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.9 Access control A.9.8 Mobile computing and teleworking Objective: To ensure information security when using mobile computing and teleworking facilities Q1 Implementation status Tick one box for each control requirement Control requirement A.9.8.1 Is there a formal policy in place and have appropriate controls been adopted to protect against the risks of working with mobile computing facilities, especially in unprotected environments? A.9.8.2 Are there policies, procedures and standards in place to authorize and control teleworking activities? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.9.8.1 A.9.8.2 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 66 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.10 Systems development and maintenance A.10.1 Security requirements of systems Objective: To ensure that security is built into information systems Q1 Implementation status Tick one box Control requirement A.10.1.1 Do business requirements for new systems or enhancements to existing systems specify the requirements for controls? Yes Partly No Q2 If you have ticked either of the boxes marked Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.10.1.1 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 67 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.10 Systems development and maintenance A.10.2 Security in application systems Objective: To prevent loss, modification or misuse of user data in application systems Q1 Implementation status Tick one box for each control requirement Control requirement A.10.2.1 Is data input to application systems validated to ensure that it is correct and appropriate? A.10.2.2 Are there validation checks incorporated into systems to detect corruption of the data processed? A.10.2.3 Has a message authentication system been implemented where there is a security requirement to protect the integrity of the message content? A.10.2.4 Is data output from application system validated to ensure that the processing of stored information is correct and appropriate to the circumstances? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.10.2.1 A.10.2.2 A.10.2.3 A.10.2.4 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 68 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.10 Systems development and maintenance A.10.3 Cryptographic controls Objective: To protect the confidentiality, authenticity or integrity of information Q1 Implementation status Tick one box for each control requirement Control requirement A.10.3.1 Is there a policy on the use of cryptographic controls for the protection of information? A.10.3.2 Is encryption applied to protect the confidentiality of sensitive or critical information? A.10.3.3 Are digital signatures applied to protect the authenticity and integrity of electronic information? A.10.3.4 Are non-repudiation services used to resolve disputes about occurrence or non-occurrence of events or actions? A.10.3.5 Is a key management system used to support the use of cryptographic techniques, based on an agreed set of standards, procedures and methods? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.10.3.1 A.10.3.2 A.10.3.3 A.10.3.4 A.10.3.5 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 69 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.10 Systems development and maintenance A.10.4 Security of system files Objective: To ensure that IT projects and support activities are conducted in a secure manner Q1 Implementation status Tick one box for each control requirement Control requirement A.10.4.1 Are procedures in place to control the implementation of software on operational systems? A.10.4.2 Is test data protected and controlled? A.10.4.3 Is strict control maintained over access to program source libraries? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.10.4.1 A.10.4.2 A.10.4.3 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 70 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.10 Systems development and maintenance A.10.5 Security in development and support processes Objective: To maintain the security of application system software and information Q1 Implementation status Tick one box for each control requirement Control requirement A.10.5.1 Are there strict formal change control procedures for the implementation of changes? A.10.5.2 Are the application systems reviewed and tested when changes occur? A.10.5.3 Are modifications to software packages discouraged and any essential changes strictly controlled? A.10.5.4 Are purchase, use and modification of software controlled and checked to protect against possible covert channels and Trojan code? A.10.5.5 Are controls applied to secure outsourced software development? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.10.5.1 A.10.5.2 A.10.5.3 A.10.5.4 A.10.5.5 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 71 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.11 Business continuity management A.11.1 Aspects of business continuity management Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters Q1 Implementation status Tick one box for each control requirement Control requirement A.11.1.1 Is there a managed process in place for developing and maintaining business continuity across the organization? A.11.1.2 Is there a strategy plan in place, based on risk assessment, detailing the overall approach to business continuity? A.11.1.3 Are plans developed to maintain or restore business operations in a timely manner following interruption to, or failure of, critical business processes? A.11.1.4 Is a single framework of business continuity plans maintained to ensure that all plans are consistent and to identify priorities for testing and maintenance? A.11.1.5 Are business continuity plans tested regularly and maintained by regular reviews to ensure they are up to date and effective? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.11.1.1 A.11.1.2 A.11.1.3 A.11.1.4 A.11.1.5 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 72 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.12 Compliance A.12.1 Compliance with legal requirements Objective: To avoid breaches of any criminal and civil law, and statutory, regulatory or contractual obligations and, of any security requirements Q1 Implementation status Tick one box for each control requirement Control requirement A.12.1.1 Are all relevant statutory, regulatory and contractual requirements explicitly defined and documented for each information system? A.12.1.2 Are appropriate procedures implemented to ensure compliance with legal restrictions on the use of material in respect of intellectual property rights, and on the use of propriety software products? A.12.1.3 Are important records of the organization protected from loss, destruction and falsification? A.12.1.4 Are there controls applied to protect personal information in accordance with relevant legislation? A.12.1.5 Is there management authorization for the use of information processing facilities and are controls applied to prevent the misuse of such facilities? A.12.1.6 Are controls in place to ensure compliance with national agreements, laws, regulations or other instruments to control the access to or use of cryptographic controls? A.12.1.7 Where actions against a person or organization involves the law, either civil or criminal, does collection of evidence conform to the rules for evidence laid down by the relevant law, rules of a specific court, published standard or code of practice for the production of admissible evidence? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.12.1.1 A.12.1.2 A.12.1.3 A.12.1.4 A.12.1.5 A.12.1.6 A.12.1.7 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 73 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.12 Compliance A.12.2 Review of security policy and technical compliance Objective: To ensure compliance of systems with organizational security policies and standards Q1 Implementation status Tick one box for each control requirement Control requirement A.12.2.1 Do managers take action to ensure that all security procedures within their area of responsibility are carried out correctly? In addition, are all areas within the organization subject to regular review to ensure compliance with security policies and standards? A.12.2.2 Are information systems regularly checked for compliance with security implementation standards? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.12.2.1 A.12.2.2 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 74 “Are you ready for a BS 7799 Part Audit?” BS 7799-2:2002 Information security management systems – Specification with guidance for use A.12 Compliance A.12.3 System audit consideration Objective: To maximize the effectiveness, and to minimize interference to/from the system audit process Q1 Implementation status Tick one box for each control requirement Control requirement A.12.3.1 Are all audits of operational systems carefully planned and agreed to minimize the risk of disruptions to business processes? A.12.3.2 Is access to system audit tools protected to prevent possible misuse or compromise? Yes Partly No Q2 If you have ticked any of the boxes marked either Partly or No you should indicate the reason by ticking one or more of the following boxes Control Reasons and justification A.12.3.1 A.12.3.2 COMMENTS: (Enter a wider explanation of the reason(s) indicated above Where control measures are in place it may be helpful to detail them See section 3.2 for details Use additional sheets if necessary.) Page 75 ... BS 7799 certification (PD 3001) - Guidance on implementation of ISMS process requirements to organizations preparing for certification • Guide to BS 7799 Risk Assessment (PD 3002) - Guidance aimed... and auditing of BS 7799 controls (PD 3004) - Guide to the implementation and auditing of BS 7799 controls • Guide on the selection of BS 7799 Part controls (PD 3005) This guide is intended primarily... in BS 7799-2:2002 It does not replace the formal assessment route associated with Part and the PDCA process requirements for establishing, implementing and maintaining an ISMS The ISMS process