Full Text

Rossouw von Solms: Port Elizabeth Technikon, Port Elizabeth, South Africa

In the previous article, guidelines to the management of an information technology environment were discussed. In that article, ISO/IEC proposed a comprehensive, structured approach to information security management (GMITS). Obviously, the ideal would be for an organization to follow such a "complete" approach to information security management but, unfortunately, most companies do not possess over the needed resources to introduce and maintain such a comprehensive information security programme.

Many, less comprehensive, but also very effective approaches to information security management can be introduced in an organization. Many of these approaches, as is the case with the one introduced below, can actually contribute to a comprehensive approach, such as GMITS. One approach, that is internationally growing in stature and gaining a lot of recognition, is the Code of Practice for Information Security Management or the British Standard 7799 (BS 7799).

The Code of Practice (CoP) has been developed by the Department of Trade and Industry in the UK, with the assistance of a group of leading international companies and organizations in the UK. The CoP was first published in September 1993. In 1995 the Code of Practice for Information Security Management became a British standard (BS 7799). The CoP is based on a compilation of the best information security practices in general use in many leading international companies.

The objectives of the Code of Practice are twofold:

- to provide a common basis for companies to develop, implement and...