Developing an information security management system (ISMS) based on BS 7799-2: 2002 & ISO 17799:2000 for engineering computer center (ECC)

Abstract

The model of Quality Management System (QMS), for over a decade, has proven its effectiveness of enhancing the quality of service and product of worldwide enterprises. Yet, in this knowledge economy, the growth or survival of the organization is not only limited to ensuring the quality but also extended to protecting information. Indeed, if we wish to rank the assets, next to personnel - the most valuable one - is unarguably the information, which is considered the lifeblood of each organization. Numerous information security breaches and incidents as well as their associated consequences overwhelm mass media, heavily striking the enterprises’ operation. Given that context, the timely release of BS 7799-2: 2002 and ISO 17799: 2000 - an Information Security Management System (ISMS) - is an appropriate, crucial supplementation for existing management systems. An efficient ISMS maintains the organization’s information security posture, thereby keeping the stability of internal and external business activities and most significantly, the customers’ credit. Implementation of BS 7799 and ISO 17799 in Thailand as well as in many other countries is quite fresh. This fact claims for two reasons. First, senior management’s awareness of information security is fairly low. More and equally important is the thought that understanding and deploying a new management system would be complicated, time-consuming and costly. These drove me to study the ISMS based on BS 7799 and ISO 17799 to know which are the characteristics and contents of an ISMS and then develop a theoretical model based on a specific case study of the Engineering Computer Center (ECO) of the Faculty of Engineering, Chulalongkorn University. This study aims at producing two results. First, the OCTAVESM method - the most effective and yet unknown information security risk assessment will be intensively explored in order to conduct a complete risk assessment on the operation of ECC. Next, according to such evaluation results, an ISMS will be fully established by using the BS 7799-2: 2002 and ISO 17799: 2000. Lastly, in near future, exploring this ISMS and the like would enable Thai authorities to establish their own standards like the ones generated by India, Japan, Germany, Australia and New Zealand.