BS 7799 is the seminal British standard that established the inaugural framework for formal information security management systems. The Primary Implementation Requirement involves transitioning legacy controls to a modern risk-based posture, delivering the Business Benefit of a globally recognised, resilient security perimeter that ensures long-term regulatory compliance.
What is BS 7799?
BS 7799 is the British Standard that served as the original foundation for the entire ISO 27000 family of information security standards. Published by the British Standards Institution (BSI) in 1995, it was the first international-level framework for an Information Security Management System (ISMS). While the standard has since been withdrawn and replaced by its ISO counterparts, it is a crucial part of the history of ISO 27001.
Context
The BS 7799 standard was initially split into two main parts:
- BS 7799-1: A Code of Practice for information security management, which evolved into ISO/IEC 27002. This document provides detailed guidance and controls.
- BS 7799-2: The specification for an ISMS, which eventually became ISO/IEC 27001. This part is the certifiable standard that defines the requirements for an ISMS.
Why it matters
Understanding BS 7799 provides valuable historical context and shows the evolution of ISO 27001 from a British standard to a globally recognised framework. It also highlights that the core principles of information security management have remained consistent over time.
| Related ISO 27001 Control / Concept | Relationship Description |
|---|---|
| ISO 27001 (Main Standard) | Direct Evolution: BS 7799-2 was the specific British Standard that served as the primary blueprint and eventually became the international ISO/IEC 27001 standard. |
| ISO 27002 (Annex A Controls) | Guidance Origin: BS 7799-1 was the “Code of Practice” for information security, which evolved directly into the ISO/IEC 27002 guidance and the Annex A controls used today. |
| Information Security Management System (ISMS) | Core Framework: BS 7799 established the first international-level framework for an ISMS, defining the requirements that organizations still follow to manage security risks. |
| BSI (British Standards Institution) | Authoring Body: BSI is the organization that originally published BS 7799 in 1995 and continues to be a major player in ISO 27001 certification and auditing. |
| ISO 27000 Series | Foundational Standard: BS 7799 is recognized as the “ancestor” or foundation for the entire family of ISO 27000 standards. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where the historical context of BS 7799 is archived alongside modern ISO 27001 terminology. |
How to implement BS 7799
As a Lead Auditor, I recognise that while BS 7799 was the original British Standard, its core principles form the bedrock of the modern ISO 27001 framework. Implementing an Information Security Management System (ISMS) rooted in these standards requires a transition from legacy compliance to a dynamic, risk-based posture. Following this 10-step technical roadmap ensures your organisation establishes a robust security perimeter that satisfies both historical rigor and contemporary regulatory requirements.
1. Define Governance and Organisational Scope
- 1. Formalise the ISMS Scope and Boundary: Document the specific physical, logical, and organisational limits of the system, resulting in a defined perimeter that prevents scope creep during certification.
- 2. Approve the Leadership Commitment Statement: Secure formal ratification from the Board of Directors, resulting in the mandatory resource allocation and authority required for successful ISMS implementation.
2. Asset Management and Risk Identification
- 3. Provision a comprehensive Asset Register: Identify and categorise all information assets, hardware, and software, resulting in 100 per cent visibility of the organisational attack surface.
- 4. Execute a Technical Risk Assessment: Apply a methodology to identify threats and vulnerabilities for every asset, resulting in a prioritised Risk Treatment Plan (RTP) based on business impact.
3. Logical Access and Identity Controls
- 5. Implement Identity and Access Management (IAM) Roles: Configure granular access permissions based on the Principle of Least Privilege, resulting in the elimination of unauthorised lateral movement across the network.
- 6. Enforce Multi-Factor Authentication (MFA): Mandate MFA for all remote access and privileged accounts, resulting in a significant reduction in the risk of credential-based breaches.
4. Technical Hardening and Monitoring
- 7. Provision Vulnerability Management Tools: Deploy automated scanners to identify configuration drifts and missing patches, resulting in a proactive defence against known exploit pathways.
- 8. Formalise Technical Rules of Engagement (ROE): Document the specific protocols for system administrators and third-party vendors, resulting in standardised and auditable technical conduct.
5. Internal Compliance and Auditing
- 9. Audit the ISMS via Internal Assessments: Execute a full review of all Annex A controls, resulting in the identification of non-conformities before the formal Stage 1 and Stage 2 external audits.
6. Management Review and Improvement
- 10. Execute the Formal Management Review: Convene senior leadership to review audit results and security metrics, resulting in continuous improvement and the ongoing suitability of the security framework.
BS 7799 FAQ
What is BS 7799 in information security?
BS 7799 was the seminal British Standard for information security management systems (ISMS). Published in 1995 by the BSI, it provided the structural blueprint for 100% of the modern ISO 27001 framework, establishing the original set of security controls and risk management principles used globally today.
How does BS 7799 differ from ISO 27001?
BS 7799 is the national predecessor, whereas ISO 27001 is the current international standard. While 90% of the core principles remain identical, ISO 27001 introduced more robust requirements for leadership commitment and continuous improvement, replacing the legacy BS 7799:2 specification in 2005 to ensure global interoperability.
What are the two parts of the BS 7799 standard?
BS 7799 was divided into two distinct components. Part 1 served as a comprehensive code of practice for security controls, which eventually became ISO 17799. Part 2 established the formal specification for an ISMS, providing the basis for the first auditable certification standard in information security history.
Why is BS 7799 still relevant for ISO 27001 auditors?
It is relevant because it defines the heritage of the Annex A control set. Understanding BS 7799 allows auditors to trace the evolution of security requirements, noting that approximately 114 controls from the legacy standard formed the baseline for 100% of modern international security maturity assessments.
Can an organisation still get certified to BS 7799?
No, organisations can no longer receive BS 7799 certification. It was officially withdrawn and replaced by ISO/IEC 27001:2005. Today, 100% of organisations seeking an auditable security standard must comply with the latest version of ISO 27001 to ensure international recognition and regulatory validity.
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
