BSI, the business standards company, has revised its guidance standard for information security management systems, BS 7799-3 ‘guidelines for information security risk management.’

BS 7799-3 specifically assists organisations regarding the risks and opportunities aspects in the internationally recognised ISO 27001 information technology, security techniques, information security management systems and requirements. BS 7799-3 provides guidance on defining, applying, maintaining and evaluating risk management processes in the information security context.

The standard is relevant to organisations which have, or are intending to have, an information security management system which conforms to ISO 27001. BS 7799-3 identifies two widely recognised approaches to risk identification and risk analysis: the scenario-based approach, where risks are identified and assessed, through a consideration of events and their consequence; and the asset-threat-vulnerability approach, where risk identification takes into account the value of information assets and identifies applicable threats.

Reliable organisational security data

The standard recommends that for an organisation to increase the reliability of estimating the likelihood of a security event occurring, they should consider using team assessments rather than individual assessments; employing external sources, such as information security breaches reports; unambiguous targets, such as ‘two a year’, rather than vague targets and timings; and using scales with at least five categories to ascertain risk, from ‘very low’ to ‘very high’.

"Recognising that no two organisations have identical security concerns, BS 7799-3 is applicable for all organisations"

BS 7799-3 accounts for risks as diverse as whether the influences of a foreign actor are a threat to the organisation; technology failure; influences of domestic crime, including fraud; and the probable skill of an attacker, and the resources available to them. The standard includes dedicated sections for information security risk treatment, with guidance on how an organisation can monitor and measure their risk identification plan.

Enhanced information security management

Recognising that no two organisations have identical security concerns, BS 7799-3 is applicable for all organisations – regardless of type, size or nature. Notable changes between the revised BS 7799-3 and its predecessor include conformity to the latest version of ISO 27001; the term ‘risk owner’ replaces ‘risk asset owner’; and the effectiveness of the risk treatment plan is now regarded as being more important than the controls.

Anne Hayes, Head of Market Development for Governance and Resilience at BSI, said: “Information security is the central nervous system of any organisation. When it fails, the financial and reputational impact can be devastating for small and large organisations alike. Unsurprisingly, businesses routinely cite information security as their number one concern.

BS 7799-3 was revised to work hand-in-hand with ISO 27001 in assisting organisations in evaluating their risk management processes. If ISO 27001 is the bread and butter of an organisation’s information security management system, BS 7799-3 is the knife to spread the butter.”

BS 7799-3 is applicable for any organisation, but will be of particular interest to governance, risk and compliance personnel; security managers; operational managers; auditors; and anyone responsible for implementing the requirements of the General Data Protection Regulation in their organisation.

Download PDF version

In case you missed it

Unifying the mobile experience: cloud, IoT and the AI evolution of access control in 2019
Unifying the mobile experience: cloud, IoT and the AI evolution of access control in 2019

The industry faces numerous challenges in the coming year. Physical and cyber security threats continue to become more complex, and organisations are struggling to manage both physical and digital credentials as well as a rapidly growing number of connected endpoints in the Internet of Things (IoT). We are witnessing the collision of the enterprise with the IoT, and organisations now must establish trust and validate the identity of people as well as ‘things’ in an environment of increasingly stringent safety and data privacy regulations. Meanwhile, demand grows for smarter and more data-driven workplaces, a risk-based approach to threat protection, improved productivity and seamless, more convenient access to the enterprise and its physical and digital assets and services. Using smartphone apps to open doors Cloud technologies give people access through their mobile phones and other devices to many new, high-value experiencesEnterprise customers increasingly want to create trusted environments within which they can deliver valuable new user experiences. A major driver is growing demand for the ‘digital cohesion’ of being able to use smartphone apps to open doors, authenticate to enterprise data resources or access a building’s applications and services. Cloud technologies are a key piece of the solution. They give people access through their mobile phones and other devices to many new, high-value experiences. At the same time, they help fuel smarter, more data-driven workplace environments. With the arrival of today’s identity- and location-aware building systems that recognise people and use deep learning analytics to customise their office environment, the workplace is undergoing dramatic change. Improved fingerprint solutions Cloud-based platforms and application programming interfaces (APIs) will help bridge biometrics and access control in the enterprise, overcoming previous integration hurdles while providing a trusted platform that meets the concerns of accessibility and data protection in a connected environment. At the same time, the next generation of fingerprint solutions will deliver higher matching speed, better image capture quality and improved performance. The next generation of fingerprint solutions will deliver higher matching speed, better image capture quality and improved performance Liveness detection will ensure that captured data is from a living person. Biometrics authentication will also gain traction beyond access control in immigration and border control, law enforcement, military, defence and other public section use cases where higher security is needed. Flexible subscription models Access control solutions based on cloud platforms will also change how solutions are deployed. Siloed security and workplace optimisation solutions will be replaced with mobile apps that can be downloaded anywhere across a global ecosystem of millions of compatible and connected physical access control system endpoints. These connections will also facilitate new, more flexible subscription models for access control services. As an example, users will be able to more easily replenish mobile IDs if their smartphones are lost or must be replaced. Generating valuable insights with machine learning Machine learning analytics will be used to generate valuable insights from today’s access control solutionsEducation, finance, healthcare, enterprise, and other niche markets such as commercial real-estate and enterprises focussed on co-working spaces will benefit from a cloud-connected access control hardware foundation. There will be a faster path from design to deployment since developers will no longer have to create an entire vertically integrated solution. They will simply add an app experience to the existing access control infrastructure. New players will be drawn to the market resulting in a richer, more vibrant development community and accelerated innovation. Data analytics will be a rapidly growing area of interest. Machine learning analytics will be used to generate valuable insights from today’s access control solutions. Devices, access control systems, IoT applications, digital certificates and location services solutions, which are all connected to the cloud, will collectively deliver robust data with which to apply advanced analytics and risk-based intelligence. As organisations incorporate this type of analytics engine into their access control systems, they will improve security and personalise the user experience while driving better business decisions. 

What characteristics do salespeople require in the physical security industry?
What characteristics do salespeople require in the physical security industry?

A basic tenet of sales is ABC – always be closing. But it's a principle that most professional salespeople would say oversimplifies the process. Especially in a sophisticated, high-tech market such as physical security, the required sales skills are much more involved and nuanced. We asked this week's Expert Panel Roundtable: What unique characteristics are required of salespeople in the arena of physical security systems?

Can microchip implants replace plastic cards in modern access control?
Can microchip implants replace plastic cards in modern access control?

A futuristic alternative to plastic cards for access control and other applications is being considered by some corporate users in Sweden and the United Kingdom. The idea involves using a microchip device implanted into a user’s hand. About the size of a grain of rice and provided by Swedish company Biohax, the tiny device employs passive near field communication (NFC) to interface with a user’s digital environment. Access control is just one application for the device, which can be deployed in lieu of a smart card in numerous uses. Biohax says more than 4,000 individuals have implanted the device. Using the device for corporate employees Every user is given plenty of information to make an informed decision whether they want to use the deviceCurrently Biohax is having dialogue with curious corporate customers about using the device for their employees. “It’s a dialogue, not Big Brother planning to chip every employee they have,” says Jowan Österlund, CEO at Biohax. Every user is given plenty of information to make an informed decision whether they want to use the device. Data capture form to appear here! “Proof of concept” demonstrations have been conducted at several companies, including Tui, a travel company in Sweden that uses the device for access management, ID management, printing, gym access and self-checkout in the cafeteria. Biohax is also having dialogue with some big companies in the United Kingdom, including legal and financial firms. Österlund aims to have a full working system in place in the next year or so. A Swedish rail company accepts the implanted chip in lieu of a paper train ticket. They accept existing implants but are not offering to implant the chips. Österlund says his company currently has no plans to enter the U.S. market. The device is large enough to locate easily and extract if needed, and small enough to be unobtrusive Access control credential The device is inserted/injected below the skin between the index finger and the thumb. The circuitry has a 10-year lifespan. The device is large enough to locate easily and extract if needed, and small enough to be unobtrusive. The only risk is the possibility of infection, which is true anytime the skin is pierced, and the risk is mitigated by employing health professionals to inject the chip. Use of the device as an access control credential or any other function is offered as a voluntary option; any requirement by an employer to inject the device would be illegal, says Österlund. It’s a convenient choice that is made “based on a well-informed decision by the customer.” Aversion to needles, for example, would make some users squeamish to implant the device. More education of users helps to allay any concerns: Some 10% of employees typically would agree quickly to the system, but a larger group of 50% to 60% are likely to agree over time as they get more comfortable with the idea and understand the convenience, says Österlund. Protection of information The passive device does not actively send out any signals as you walk. It is only powered up by a reader if a user has access rightsIn terms of privacy concerns, information contained on the device is in physical form and is protected. The passive device does not actively send out any signals as you walk. There is no battery. It is only powered up by a reader if a user has access rights. With use of the device being discussed in the United Kingdom, there has been some backlash. For example, Frances O’Grady, general secretary of the Trades Union Congress (TUC), has said: “Microchipping would give bosses even more power and control over their workers.” A big misconception is that the chip is a tracking device, says Österlund. It isn’t. “We love people to get informed,” says Österlund. “If they’re scared or apprehensive, they can just read up. It’s not used to control you – it’s used to give you control.”