BS 7799:2-2002 Controls

Clause No. Sub Clause Title Objective

A.3 Security Policy
A.3.1 Information Security Policy
Information Security Policy A Policy Document shall be approved by Management, published
A.3.1.1 Document and communicated , as appropriate, to all employees

A3.1.2 Review and Evaluation Policy should be reviewed periodically

A.4 Organizational Security
A.4.1 Information Security Infrastructure
Management information A management forum to ensure that there is clear direction and
A.4.1.1 Security Forum visible management support for security initiatives shall be in place

Middle Management committee to coordinate and implement the

A.4.1.2 Information Security Coordination
controls

Allocation of information security Responsibilities for the protection of individual assets and for
A.4.1.3 responsibilities carrying out specific security processes shall be clearly defined

Authorization process for A management authorization process for new information

A.4.1.4 information processing facilities processing facilities shall be established

Specialist information security

A.4.1.5 advice
Consultants can be used as advisors
Cooperation between
A.4.1.6 organizations
Contacts list of all service providers shall be maintained
Independent review of
A.4.1.7 information security
Implementation shall be reviewed independently.

A.4.2 Security of third-party access

Identification of risks from third- Appropriate security controls shall be implemented for third parties
A.4.2.1 party access who has access to organizations information
Security requirements in third-
A.4.2.2 party contracts
Formal contract with the third party to cover all security risks
To maintain the security of information when the responsibility has
A.4.3 Outsourcing
been outsourced to another organization
Security Requirements in Formal contract with the third party who is providing to service to
A.4.3.1 outsourcing contacts the organisation to cover all security risks
A.5 Asset Classification and Control
A.5.1 Accountability for assets
An inventory of all important assets associated with each
A.5.1.1 Inventory of assets
information system shall be drawn up and maintained
A.5.2 Information Classification

Classifications and associated protective controls for information

A.5.2.1 Classification Guidelines shall take account of business needs for sharing or restricting
information, and the business impacts associated with such needs

A set of procedure shall be defined for information labeling and

A.5.2.2 Information labeling and handling handling in accordance with the classification scheme adopted by
the organization
A.6 Personnel Security
A.6..1 Security in job definition and resorting
Security roles and responsibilities, as laid down in the
Including security in job
A.6.1.1 responsibilities
organization's information security policy shall be documented in
job definitions.
Verification checks on permanent staff, contractors and temporary
A.6.1.2 Personal Screening and Policy
staff shall be carried out at time of job applications
A.6.1.3 Confidentiality agreements NDA
Terms and Conditions of The terms and conditions shall state the employee's responsibility
A.6.1.4 employment for information security
A.6.2 User Training
 BS 7799:2-2002 Controls

Clause No. Sub Clause Title Objective

Security awareness to everyone in the organization including third
A.6.2.1 Information security and training
party employees
A.6.3 Responding to Security incidents and malfunctions
Security incidents shall be reported through appropriate
A.6.3.1 Reporting Security Incidents
management channels as quickly as possible

users shall be required to note and report any observed or

A.6.3.2 Reporting Security Weaknesses
suspected security weakness in, or threats to, systems or services

Procedures shall be established for reporting software

A.6.3.3 Reporting Software malfunctions
malfunctions
Mechanisms shall be put in place to enable the types, volumes
A.6.3.4 Learning from incidents and costs of incidents and malfunctions to be quantified and
monitored
formal disciplinary process should be there for dealing employees
A.6.3.5 Disciplinary process
who are violating polices and procedures
A.7 Physical and environment security
A.7.1 Secure Areas
Organizations shall use security perimeter to protect areas that
A.7.1.1 Physical Security perimeter
contain information processing facilities
Secure areas shall be protected by appropriate entry controls to
A.7.1.2 Physical entry controls
ensure that only authorized personnel are allowed access
Securing offices, rooms and Secure areas shall be created in order to protect offices, rooms
A.7.1.3 facilities and facilities with special security requirements
A.7.1.4 Working in secure areas enhance the security of secure areas
Delivery and loading areas shall be controlled and where possible,
A.7.1.5 Isolated and loading areas isolated from information processing facilities to avoid
unauthorized access
A.7.2 Equipment Security
Eqpts shall be sited or protected to reduce the risks from
A.7.2.1 Equipment sitting and protection environment threats and hazards, and opportunities for
unauthorized access
Equipments shall be protected from power failures and other
A.7.2.2 Power Supplies
electrical anomalies
Power and telecommunications calling carrying data or supporting
A.7.2.3 Cabling Security information services shall be protected from interception or
damage
A.7.2.4 Equipment Maintenance Equipment shall be correctly maintained to enable its CIA
security of equipment off- Any use of equipment processing outside organisation premises
A.7.2.5 premises shall require authorization by management.
Secure disposal or re-use of Information shall be erased from equipment prior or disposal or re-
A.7.2.6 equipment use
A.7.3 General Controls
Organizations shall have a clear desk and a cellar screen policy
Clear desk and clear screen
A.7.3.1 policy
aimed at reducing the risks of unauthorized access, loss of, and
damage to information

Equipment, information or software belonging to the organisation

A.7.3.2 Removal of property
shall not not be removed without authorization of the management

A.8 Communications and Operations Management

A.8.1 Operational procedures and responsibilities
The operating procedures identified in the security policy shall be
A.8.1.1 Documented Control Procedures
documented and maintained
Changes to information processing facilities and systems shall be
A.8.1.2 Operational change controls
controlled
Incident Management Incident management responsibilities and procedures shall be
A.8.1.3 Procedures established
Duties and areas of responsibility shall be separated in order to
A.8.1.4 Segregation of duties
reduce
 BS 7799:2-2002 Controls

Clause No. Sub Clause Title Objective

Separation of development and Development and testing facilities shall be separated from
A.8.1.5 operational facilities operational facilities
prior to using external facilities management services the risks
A.8.1.6 External facilities management shall be indented and appropriate controls agreed with the
contractor and incorporated into a contract
A.8.2 System Acceptance and Planning
Capacity demands shall be monitored and projections of future
A.8.2.1 Capacity Planning capacity requirements made to enable adequate processing power
and storage to be made available
Acceptance criteria for new information systems, upgrades and
A.8.2.2 System Acceptance new versions shall be established and suitable tests of the system
carried out prior to acceptance
A.8.3 Protection Against Malicious software
Detection and prevention controls to protect against malicious
Controls against Malicious
A.8.3.1 Software
software and appropriate user awareness procedures shall be
implemented
A.8.4 House Keeping
Backup copies of essential business information and software
A.8.4.1 Information Backup
shall be taken regularly
Operational staff shall maintain a log of their activities. Operator
A.8.4.2 Operator Logs
logs shall be subject to regular independent checks
A.8.4.3 Fault Logging Faults shall be reported and corrective action taken
A.8.5 Network Management
A range of controls shall be implemented to maintain security in
A.8.5.1 Network Controls
networks
A.8.6 Media Handling
Management of Removable The management of removable media computer media such as
A.8.6.1 Media tapes, disks, cassettes and printed reports shall be controlled

Media shall be disposed of securely and safely when no longer

A.8.6.2 Disposal of Media
required
Procedures for the handling of the storage of information shall be
A.8.6.3 Information Handling Procedures established in order to protect such information from unauthorized
disclosure or misuse
Security of system System Documentation shall be protected from unauthorized
A.8.6.4 Documentation access
A.8.7 Exchanges of information and software
Information and Software Agreements shall be established for the exchange of information
A.8.7.1 exchange agreements and software between organization
Media being transported shall be protected from unauthorized
A.8.7.2 Security of Media in transit
access, misuse or corruption

Electronic commerce shall be protected against fraudulent activity,

A.8.7.3 Electronic Commerce security
contract dispute and disclosure or modification of information

A policy for the use of electronic mail shall be developed and

A.8.7.4 Security of electronic Mail controls put in place to reduce security risks created by electronic
mail
Policies and guidelines shall be prepared and implemented to
Security of electronic office
A.8.7.5 systems
control the business and security risks associated with electronic
office systems

There shall be a formal authorisation process before information is

A.8.7.6 Publicly available systems made publicly available and the integrity of such information shall
be protected to prevent unauthorized modification

Policies , procedures and controls shall be in place to protect the

Other forms of information
A.8.7.7 exchange
exchange of information through the use of voice and video
communications facilities
A.9 Access Control
 BS 7799:2-2002 Controls

Clause No. Sub Clause Title Objective

A.9.1 Business requirement for access control
Business requirements for access control shall be defined and
A.9.1.1 Access Control Policy documented, and shall be restricted to what is defined in the
access control policy
A.9.2 User access Management
There shall be formal user registration and de-registration process
A.9.2.1 User Registration
procedure for granting access to all multi-user information systems

The Allocation and use of privileges shall be restricted and

A.9.2.2 Privilege Management
controlled
The allocation of passwords shall be controlled through a formal
A.9.2.3 user password Management
management process
Management shall conduct a formal process at regular intervals to
A.9.2.4 Review of user access rights
review user access rights
A.9.3 User responsibilities
users shall be required to follows good security practices in the
A.9.3.1 Password use
selection and use passwords.
users shall be required to ensure that unattended equipment is
A.9.3.2 Unattended user equipment
given appropriate protection
A.9.4 Network Access Control
Users shall only have direct access top the services that they have
A.9.4.1 Policy on use of network services
been specifically authorized to use
The path from the user terminal to the computer service shall be
A.9.4.2 Enforced Path
controlled
User authentication for external
A.9.4.3 connections
Access by remote users shall be subject to authentication

A.9.4.4 Node Authentication Connections to remote computer systems shall be authenticated

Remote Diagnostic port
A.9.4.5 protection
Access to diagnostic ports shall be controlled
Controls shall be introduced in networks to segregate groups of
A.9.4.6 Segregation in networks
information services, users and information systems.
The connection capability of users shall be restricted in shared
A.9.4.7 Network Connection Control
networks, in accordance with the access control policy
Shared networks shall have routing controls to ensure that
A.9.4.8 Network Routing Control computer connections and information flows do not breach the
access control policy of the business applications
A clear description of the security attributes of all network services
A.9.4.9 Security of network services
used by the organisation shall be provided
A.9.5 Operating system access control
Automatic terminal identification shall be considered to
A.9.5.1 Automatic terminal identification
authenticate connections to specific and to portable equipment
A.9.5.2 Terminal Log-on procedure Access to information services shall use a secure log-on process

User identification and All users shall have a unique identifier for their personal and sole
A.9.5.3 authentication use so that activities can be traced to the responsible individual

Password management systems shall provide an effective,

A.9.5.4 Password Management system
interactive facility which aims to ensure quality passwords
Use of system utility programs shall be restricted and tightly
A.9.5.5 use of system utilities
controlled.
Duress alarms shall be provided for users who might be the target
A.9.5.6 Duress Alarm to safeguard users
of coercion.
Inactive terminals in high risk locations or serving high risk
A.9.5.7 Terminal time-out systems shall shutdown after a defined period of inactivity to
prevent access by unauthorized persons
Restrictions on connection times shall be used to provide
A.9.5.8 Limitation of connection time
additional security for high risk applications
 BS 7799:2-2002 Controls

Clause No. Sub Clause Title Objective

A.9.6 Application access control
Access to information and application system factions shall be
A.9.6.1 Information access restriction
restricted in accordance with the access control policy

A.9.6.2 Sensitive Systems isolation Sensitive systems shall have a dedicated computing environment

A.9.7 Monitoring system access and use

Audit logs recording exceptions and other security-relevant events
A.9.7.1 Event Logging shall be produced and kept for an agreed period to assist in future
investigations and access control monitoring
Procedures for monitoring the use of information processing
A.9.7.2 Monitoring system use facilities shall be established and the result of the monitoring
activities reviewed regularly
A.9.7.3 Clock Synchronization Computer clock shall be synchronized for accurate recording
A.9.8 Mobile Computing and teleporting
A Formal Policy shall be in place and appropriate controls shall be
A.9.8.1 Mobile Computing adopted to protect against the risks of working with mobile
computing facilities, in particular in unprotected environments

Policies, Procedures and standards shall be developed to

A.9.8.2 Teleporting
authorize and control teleporting activities
A.10 System development and Maintenance
A.10.1 Security Requirements of systems
Security Requirements analysis Business requirements for new systems or enhancements to
A.10.1.1 and specifications existing systems shall specify the requirements for controls
A10.2 Security in applications
Input to applications systems shall be validated to ensure that it is
A.10.2.1 Input data Validation
correct and appropriate
Validation checks shall be implemented into systems to detect any
A.10.2.2 Control of internal Processing
corruption of the data processed
Message authentication shall be used for applications where there
A.10.2.3 Message authentication is a security requirement to protect the integrity of the message
content
Data output from an application system shall be validated to
A.10.2.4 Output data validation ensure that the processing of stored information is correct and
appropriate to the circumstances
A.10.3 Cryptographic Controls
Policy on the use of A Policy on the use of cryptographic controls for the protection of
A.10.3.1 cryptographic controls information shall be developed
Encryption shall be applied to protect the confidentiality of
A.10.3.2 Encryption
sensitive or critical information
Digital Signature can be applied to protect the authenticity and
A.10.3.3 Digital Signature
integrity of electronic information
Non-Repudiation services shall be used to resolve disputes about
A.10.3.4 Non-repudiation services
occurrence or non-occurrence of an event or action
A key Management system based on an agreed set of standards,
A.10.3.5 Key Management procedures and methods shall be used to support the use of
cryptographic techniques
A.10.4 Security of system files
Procedures shall be in place to control the implementation of
A.10.4.1 Control of operational software
software on operational systems
A.10.4.2 Protection of system test data test data shall be protected and controlled
Access control to program Strict control shall be maintained over access top program source
A.10.4.3 source library libraries
A.10.5 Security in development and support processes
The implementation of changes shall be strictly controlled by the
A.10.5.1 Change control procedures
use of formal change control procedures
 BS 7799:2-2002 Controls

Clause No. Sub Clause Title Objective

Technical review of operating Application systems shall be reviewed and tested when changes
A.10.5.2 system changes occur
Restrictions on changes to Modifications to software packages shall be discouraged and
A.10.5.3 software packages essential Changes strictly controlled
The ouches use and modification of software shall be controlled
A.10.5.4 Covert channels and Trojan Code and checked to protect against possible covert channels and
Trojan code
Outsourced software Controls shall be applied to secure outsourced software
A.10.5.5 development development.
A.11 Business Continuity Management
A.11.1 Aspects of Business continuity management
Business continuity management Process for maintaining and developing BC through out the
A.11.1.1 process Organisation
Business continuity and impact A strategy plan based on appropriate risk assessment, shall be
A.11.1.2 analysis developed for the overall approach to business continuity
plans to restore business operations in a timely manner following
Writing and implementing
A.11.1.3 Continuity plans
interruption in a timely manner following interruption to, or failure of
critical business processes
A single framework of business continuity plans shall be
Business continuity planning
A.11.1.4 framework
maintained to ensure that all plans are consistent and to identify
priorities for testing and maintenance.
Testing maintain and re-
Business plans shall be tested regularly and maintained by regular
A.11.1.5 assessing business continuity
reviews to ensure that the are up to date and effective
plans
A.12 Compliance
A.12.1 Compliance with legal requirements
Identification of applicable All relevant statutory, regulatory and contractual requirements shall
A.12.1.1 legislation be documented for each information system
Appropriate procedures shall be implemented to ensure
compliance with legal restrictions on the use of material in respect
A.12.1.2 Intellectual property rights (IPR)
of intellectual property rights and on the use of proprietary software
products.
Safeguarding of organizational Important records of an organization shall be protected from loss,
A.12.1.3 records destruction and falsification
Data protection and privacy of Controls shall be applied to protect personal information in
A.12.1.4 personal information. accordance with relevant legislation
Management shall authorize the use of information processing
Prevention of misuse of
A.12.1.5 information processing facilities
facilities and controls shall be applied to prevent the misuse of
such facilities
Controls shall be in place to enable compliance with national
Regulation of cryptographic
A.12.1.6 controls
agreements laws, regulations or other instruments to control the
access to or use do cryptographic controls
Where action against a person or organisation involves the law
either civil or criminal the evidence presented shall conform to the
rules for evidence laid down in the relevant law or itch the rules of
A.12.1.7 Collection of evidence the specific court in which law or in the rules of the specific court in
which the case will be heard. this shall include compliance with
any published standard or code of practice for thru production of
admissible evidence
A.12.2 Review of security policy and technical compliance
Managers shall take action to ensure that all security procedures
within their area of responsibility are carried out correctly and all
A.12.2.1 Compliance with security policy
areas with in the organization shall be subject to regular review to
ensure compliance with security policies and standards

Information systems shall be regularly checked for compliance with

A.12.2.2 Technical Compliance Checking
security implementation standards
A.12.3 System audit considerations
 BS 7799:2-2002 Controls

Clause No. Sub Clause Title Objective

Audits of operational systems shall be planned carefully and

A.12.3.1 System audit Controls
agreed to minimum the risk of disruptions to business processes

Access to system audit tools shall be protected to prevent any

A.12.3.2 Protection of system audit tools
possible or miscue or compliance