BS DISC PD3001(1999) : 1999

1 GENERAL
1.1 Scope
1.2 Definitions
1.2.1 assurance (degree of)
1.2.2 business recovery plan
1.2.3 computer media
1.2.4 control
1.2.5 control objective
1.2.6 fallback
1.2.7 firewall
1.2.8 risk assessment
1.2.9 safeguard
1.2.10 security domain
1.2.11 third party connection
1.2.12 virus
1.2.13 vulnerability
1.3 The essence of information security
1.3.1 Confidentiality
1.3.2 Integrity
1.3.3 Availability
1.4 Sensitive information
2 INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)
2.1 Introduction
2.2 Establish the Management Framework
2.2.1 Security organization
2.2.2 Define the information security policy
2.2.3 Define the scope of the information security
        management system
2.2.4 Undertake risk assessment
2.2.5 Manage the risk
2.2.6 Select control objective and controls to be
        implemented
2.2.7 Prepare the Statement of Applicability
2.3 Implementation
2.4 Documentation
2.5 Documentation control
2.6 Records
3 DETAILED CONTROL REQUIREMENTS
3.1 Information Security Policy
3.1.1 Information security policy document
3.1.2 Review and evaluation
3.2 Security organization
3.2.1 Information security infrastructure
3.2.2 Security of third party access
3.2.3 Outsourcing
3.3 Asset classification and control
3.3.1 Accountability for assets
3.3.2 Information classification
3.4 Personnel security
3.4.1 Security in job definition and resourcing
3.4.2 User training
3.4.3 Responding to incidents and malfunctions
3.5 Physical and environmental security
3.5.1 Secure areas
3.5.2 Equipment security
3.5.3 General controls
3.6 Communications and operations management
3.6.1 Operational procedures and responsibilities
3.6.2 System planning and acceptance
3.6.3 Protection from malicious software
3.6.4 Housekeeping
3.6.5 Network management
3.6.6 Media handling and security
3.6.7 Exchanges of information and software
3.7 Access control
3.7.1 Business requirement for system access
3.7.2 User access management
3.7.3 User responsibilities
3.7.4 Network access control
3.7.5 Operating system access control
3.7.6 Application access control
3.7.7 Monitoring system access and use
3.7.8 Mobile computing and teleworking
3.8 Systems development and maintenance
3.8.1 Security requirements of systems
3.8.2 Security in application systems
3.8.3 Cryptographic controls
3.8.4 Security of system files
3.8.5 Security in development and support processes
3.9 Business continuity management
3.9.1 Aspects of business continuity management
3.10 Compliance
3.10.1 Compliance with legal requirements
3.10.2 Review of security policy and technical compliance
3.10.3 System audit considerations
Figure 1: Security Mangement Framework

Defines guidance for users of BS 7799-2:1999 and the code of Pract ice, BS 7799-1:1999, giving detailed information on the implementation of BS 7799 for assessing against the Accredited Certification Scheme for BS 7799-2:1999. Covers industry accepted best practice methods for demonstrating and providing the evidence required by an assessment auditor.