Stephen Timms MP

7799 Goes Global Conference

Ladies and Gentlemen, I would like to thank the organisers for allowing me to address you this morning and, in particular, to thank Aled Miles for allowing this slot to be the launch event for Part 2 of BS 7799 and the OECD Guidelines on information and network security.

The development of e-commerce – one of the keys to the future of our economy – has without question been held back by doubts about security.

So in addressing the challenge of information security head on, the OECD guidelines and the revision of Part 2 of BS 7799, mark a turning point in how we rise to the challenge of e-commerce.

The OECD Guidelines were originally written in 1992 and were a landmark document for their time. With the benefit of hindsight they perhaps lacked focus and were written in an era before networking had the central importance attached to it today. They fairly quickly became out of date, but they did inspire the first version of the Code of Practice on information security management - which ultimately became ISO 17799.

There was a vacuum where we should have had guiding principles and no international consensus on the general direction of public and private policy in this area. The UK – both my Department and the private sector through the involvement of the CBI – actively promoted the need for a radical overhaul and worked on the OECD group that made that happen. We think the outcome is excellent.

The Guidelines are based on the idea that there should be a culture of security, that security considerations should be built in from the outset to every aspect of our on-line experience. It also emphasises, and this will be a vital feature of the new culture, that we all share responsibility for security.

It's not someone else's problem. If you are connected, you are responsible for conducting yourself in a way which ensures that you do not damage the interests of others. This will require companies to give the security of their networks and systems serious thought in the years ahead.

The Guidelines set a broad policy framework for ensuring that the appropriate response is taken, that we raise awareness and we implement security practice and policies in a way which respects the legitimate interests of others and does not undermine the basic values of our society.

The last four guidelines give guidance on how to run systems in a secure manner. These set out the basic requirements to assess risk, design security into systems, manage systems in a comprehensive way and update security arrangements in the light of regular reassessments.

The specification for an information security management system – part 2 of BS 7799 has been in existence for some years.

Today marks the publication of a new and revised version. It reflects progress in improving the world's other major management systems standards. It's a great step forward and I warmly welcome the work of BSI and all the participants in this exercise – both in the UK and overseas – for producing a new and improved tool to help businesses manage the risk to their information assets.

There are two aspects that are particularly worthy of note. First, the alignment of the standard with the other popular management systems standards will make life easier for companies in incorporating information management in their overall management system. So information security management will more readily be mainstreamed as a business issue rather than being marginalized as a technical issue. It will help senior management take an active interest in how their on-line businesses are secured. It will help take information security management out of the operations room and into the Board Room.

The standard will also be used as a benchmark. It will help companies to have confidence in their suppliers – and indeed their customers – if they know that they are managing information security by using Part 2 of BS 7799 and basing their assessment of risk and choice of appropriate controls on the international guideline ISO 17799.

It is likely that the alignment with the other management systems standards will facilitate the use of third party assessment to Part 2 and we will see this as a way of making it known that a company takes seriously its responsibility to manage its systems. My own Department has a certificate for Part 2 in relation to the management of our central office management system.

The revision of Part 2 has clear linkages to the revised OECD guidelines. By using the Standard, companies will be able to demonstrate that they are meeting the Guidelines.

The Standard will help a company show that it knows the importance of information security, and is managing its systems in a way which fully meets the last four principles of the Guidelines.

That is why today is such a landmark. We are celebrating the launch of an international framework for improving the security of information systems and a UK initiative that will help companies demonstrate their compliance with those guidelines.

I am sure that other national standards bodies will very shortly adopt the standard and that we will see it broadly accepted as an international benchmark on the coherent management of information security.

You are among the pioneers in this important field. My Department has been glad to support the conference and I hope this is the start of an international process of exchanging best practice. I hope the rest of the Conference is a success and, for those who have travelled from overseas to be here, I wish you well for your time with us.

Other speeches by Stephen Timms MP

• Packaging Industry Conference (04/12/02)
• New Local Government Network (NLGN) Conference (03/12/02)
• Corporate Social Responsibility (02/12/02)
• Launch the London Activities of Street (UK) (29/11/02)
• Role of the Government in Promoting Electronic Commerce (27/11/02)
• Winning Strategies (27/11/02)
• SEEDA Sustainable Business Awards 2002 (26/11/02)
• SEEDA Sustainable Business Awards 2002 (26/11/02)
• Asian Dreams Fashion Event (21/11/02)
• Corporate Social Responsibility (21/11/02)
• MP's Packaging Reception (20/11/02)
• Enabling e-commerce to succeed ? in the UK and Internationally (14/11/02)
• Keidanren: Corporate Social Responsibility (13/11/02)
• Social Enterprise Business Support Strategy for London (12/11/02)
• Keynote Speech: Launch of IT 4 Communities (08/11/02)
• The Politics of Bandwidth (06/11/02)
• Periodical Publishers Association (25/10/02)
• Computer Games Competitiveness Analysis launch (24/10/02)
• Procurement - The Social Enterprise Solution (24/10/02)
• Cal-IT 2002 (21/10/02)
• Payroll Giving Event (21/10/02)
• North West Education for Enterprise Conference (18/10/02)
• EMAP Retail IT Directors Club (16/10/02)
• Bridging the Digital Divide: CSR and the E-Commerce Agenda (14/10/02)
• Sectoral Sustainability Conference (09/10/02)
• Construction Industry Environmental Forum CSR Conference (09/10/02)
• Launch of Oxford Internet Institute (27/09/02)
• Corporate Social Responsibility Event with Sir John Egan (25/09/02)
• NCH Byte Night Sleepover (20/09/02)
• Knowledge Economy: New Hope Or Old Hype (20/09/02)
• Launch of the National Skills Strategy (18/09/02)
• Social Enterprise Strategy Launch (23/07/02)
• Responsible Corporate Engagement (16/07/02)
• Textile & Clothing Industry (02/07/02)
• NCH Seminar on the Digital Divide (20/06/02)
• BiTC Awards for Excellence (19/06/02)

(the following are available from the archive)
• Broadband in the Regions (26/06/02)
• Corporate Social Responsibility (25/06/02)
• Publishing Competitive Analysis Study Launch (13/06/02)
• Making Digital Relevant (11/06/02)