In the course of every day corporate business, many people produce and manipulate their own work, store files, keep records and databases, control procedures and production tasks, download information from the internet and still, of course, produce confidential work.

Hand in hand with today's technology, there is an increased risk to the security of everyone's work, and it is not always the most obvious type of threat. Naturally, there is still the danger of work being stolen but there is also the loss of data if hardware is stolen, computer 'hacking' computer viruses which execute deliberate sabotages, plus system failure and crashes, power cuts and surges, corruption of transportable media and, of course, fire.

An Audit Commission update report shows that, between 1994 and 1997 in the UK, the percentage of organisations reporting incidents of IT fraud rose from 36% to 45%. These are just reported cases and those which are considered deliberate fraud, excluding most of the potential problems highlighted above.

The purpose of information security management is to enable continuity of business and a reduction in damage in the case of security incidents, by preventing or minimising their impact. Starting life in 1993 as PD0003 A Code of Practice for information Security Management, BS 7799 was developed by the Department of Trade and Industry (DTI) as a result of demand from industry, government agencies and commerce. They all wanted a method for developing implementing and measuring a common framework of effective security management.

The BS 7799 accredited certification scheme (c:cure) was launched in April 1998 by Barbara Roche, the Minister for Trade and Industry. The scheme was developed for the Department of Trade and Industry by DISC*, with help from UKAS and in close liaison with representative from industry. Based on the best information security practices of leading British and international businesses. BS 7799 has won international acclaim and three are discussions under way to develop it into an international (ISO) standards.

BS 7799 relates to all information, regardless of how it is processed, the medium on which it is stored or by which it is transmitted and where it is located. Business need a system to manage the risks to their information in an organized way and BS 7799 provides guidance on the best controls available and how to implement them.

Accredited third party certification offers an independent, impartial view of companies' security systems. Auditors will carry out audits on the system against BS 7799, to ensure that the company complies with the requirements of the standard, Obviously, the main aim of BS 7799 is to ensure that data is as secure as possible, but there are associated benefits:

• Facilitates electronic commerce.
• Encourages and enables organisations to enter into trading agreements.
• Promotes the adoption of appropriate security management across industry.

Primarily it, helps organisations safeguard their information but secondly, it allows them to demonstrate that they comply with a recognised standard for information security, with the backing of an independent, accredited certification body. Organisations that gain certification have greater confidence in their information security and that confidence is shared by their and associated. The certificate of registration is a public statement of compliance.

Organisations seeking certification should select a certification body that is accredited for BS 7799 by UKAS or an equivalent accreditation body. The certification body will have proved their competence in the information security sector and will employ auditors with specialist knowledge and experience.

The first step towards implementation of a BS 7799 system involves carrying out a risk assessment, focusing on the current level of information security within the organisation. It is important that the risk assessment is comprehensive and that it results in the appropriate controls and objectives being imposed on the company's management system.

BS 7799 consists of two parts and organisations must show compliance with part two to gain certification:

The Code of Practice
A guidance document which helps companies to implement their own information security system.

The Requirements Specification
The requirements specification against which companies are audited to gain certification and subsequently to demonstrate compliance.

Part 1 is divided into ten sections which cover a comprehensive range controls a, subset of which will be appropriate for any business. It includes the key controls which are either legislative or considered so fundamental as to be essential. To implement an information security management system, companies should:

• Compile an inventory of their information and IT assets.
• Allocate responsibilities for their protection.
• Carry out the risk assessment, identify the threats and their potential impact.
• Select the appropriate BS 7799 controls and objectives to manage the risks.
• Establish a system of documenting the controls and objectives.

As with all management systems, companies that achieve BS 7799 certification are regularly audited to ensure their system complies with the requirements of the standard and all laid down management approved procedures are implemented. With the fast, constantly changing nature of computer hardware and software, this procedure is most important.

With new frontiers being opened up all the time by development in IT, more and more risks are being created. For this reason, BS 7799 is a very important standard for the future.