CHAPTER 9: STANDARDS – Managing Information Risk: A Director's Guide


Standards offer guidelines for directors and IT staff that help ensure that all bases are covered. Although not necessarily a regulatory requirement, membership and accreditation of such schemes are often welcomed by partners to offer assurance that your systems risk strategy is up to scratch.

Even if your company chooses not to submit to the accreditation process, they can still be used as a framework to double-check the processes outlined in this pocket guide have been met to at least baseline standards.

The main national and international standards relevant to information risk mitigation include, but are not limited to:

• ISO/IEC 27005:2008 is the international Code of Practice for information security risk management, and its guidance is increasingly widely followed. This guidance though, while in line with this pocket guide, is quite detailed and will be of particular value to the information risk officer.

• BS31100:2008 is the first national Code of Practice for risk management, and it reflects substantial work done by a number of organisations, including The Institute of Risk Management, the Association of Insurance and Risk Managers, HM Treasury’s Orange Book, and the US Enterprise Risk Management – Integrated Framework. This standard provides guidance for organisations on how to approach risk management generally. This pocket guide also reflects that good practice in a specifically information risk context.

• ISO27000 series (formerly BS7799 and ISO17799) – best practice recommendations for information security management systems.

• ISO9000 series – the ISO standard for quality management systems.

• COBIT – internationally recognised guidance for IT governance and control.

• HMG Information Security Standard No. 2 (risk management and accreditation of information systems) and ISO27001.

• BSI DISC PD0008 – the British standard relating to the legal admissibility and evidential weight of information stored electronically.

• BS25999 – the British standard for business continuity planning.

• BS25777 (formerly PAS77) – a code of practice for IT service continuity management.

Relevant UK legislation includes the Public Records Act (1958 as amended), Freedom of Information Act (FOIA) (2000), Data Protection Act (1998), and Re-use of Public Sector Information Regulations (2005).