|Title:||BS 7799-3:2006 - Information security management systems -- Guidelines for information security risk management|
(Note: this is a reference to the BSI page where the standard can be acquired. However, the standard is not free of charge, and its provisions are not publicly available. For this reason, specific provisions cannot be quoted).
|Topic:||Standard containing general guidelines for information security risk management.|
|Direct / indirect relevance||Direct. While not legally binding, the text contains direct guidelines for the creation of sound information security practices.|
|Scope:||Not publicly available BSI standard, which can be voluntarily implemented.|
|Legal force:||Nonbinding BSI standard.|
|Affected sectors:||Generic. The standard can be implemented in any sector confronted by information security requirements.|
|Relevant provision(s):||The standard is not free of charge, and its provisions are not publicly available. For this reason, specific provisions cannot be quoted.
The publicly available BSI abstract describes the standard as follows:
“Identifying, evaluating, treating and managing information security risks are key processes if businesses want to keep their information safe and secure. Whilst these processes are specified in the information security standard BS ISO/IEC 27001:2005, further guidance is required on how to manage these risks as well as to put them into context with other business risks.
BS 7799-3:2006 provides this guidance and covers:
• risk assessment
• risk treatment
• management decision making
• risk re-assessment
• monitoring and reviewing of risk profile
• information security risk in the context of corporate governance
• compliance with other risk based standards and regulations.”
|Relevance to RM/RA:||The standard is mostly intended as a guiding complementary document to the application of the aforementioned ISO 27001:2005, and is therefore typically applied in conjunction with this standard in risk assessment practices.|