Recent reports of security breaches in India – security breaches of BS7799-certified companies – should be treated with all the sceptism they deserve. BS7799 is an international standard for best practice in information security management – it is a system for effectively, coherently and comprehensively managing information security which takes into account the certainty that every management system will, sooner or later, be bypassed, that every defence will be overwhelmed – which is why business continuity plans are such an important part of the information security management system.
BS7799 is most definitely not a guarantee that no attacker will ever be successful. Sooner or later, every company is overwhelmed by an attacker – particularly an insider – and insiders, statistically, are responsible for about half of all successful attacks – what BS7799 expects (before committing to an outsourcing contract) is that an organization will carry out an information risk assessment, and that this risk assessment will take into account the documented scope of the certified organization – and, if it is inadequate, the potential outsourcer will act appropriately – not go ahead, require additional safeguards, etc.
The fact that any one organization has a BS7799 certificate for an information security management system which doesn’t meet the requirements of the organization about to outsource its services is, usually, completely obvious. If the outsourcer nevertheless goes ahead and contracts to outsource the services, it deserves a bloody nose – the fault is in the inadequate judgement of the outsourcer, not in the standard itself.
Let’s make sure the really important lessons are learned here: scope of the certificate must be adequate, contractor is also responsible for carrying out a risk assessment and, sooner or later, an attacker will overcome the best defence. What matters is that the defender has a system for identifying and recovering from those attacks – and BS7799 gives them that.