Why does it matter that the Extranet complies with ISO 27001 and BS10008?
Using a Project Extranet that is certified to ISO 27001 and BS10008 will shift the weight of evidence in your favour. You can be certain that any evidence from a system certified to these standards will be admissible in court. Conversely, you cannot be certain either of the admissibility or of the evidential weight if the evidence comes from a system not certified to these standards (e.g. most email).
Electronic documents may not be accepted in court and will not carry as much weight if the Project Extranet from which they are produced cannot independently demonstrate their integrity and reliability. The best way to demonstrate this and avoid these risks is by using a service which is certified to the International Standard ISO 27001 and BS10008.
ISO 27001
ISO 27001 Information Security Management is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and quantify the range of threats to which information is regularly subjected.
ISO 27001 Information Security Management covers known security issues, containing many control requirements listed below and requires a quantifiable assessment and improvement program.
Comprehensive Information Security policies within organizations set out procedures to be followed, safeguarding information such as corporate information and customer information.
One requirement of the standard to an Information Security Management System (ISMS), which is a systematic approach to managing sensitive company information, ensuring it remains both secure and available. It encompasses people, processes and IT systems.
ISO 27001 Information Security Management sets out the procedures needed to set up a fully secure Project Extranet. It includes a requirement for security controls in the following areas:
Security policy - This provides management direction and support for information security.
Organization of assets and resources - To help you manage information security within the organization.
Asset classification and control - To help you identify your assets and appropriately protect them.
Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities.
Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information.
Communications and operations management - To ensure the correct and secure operation of information processing facilities.
Access control - To control access to information.
Systems development and maintenance - To ensure that security is built into information systems.
Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.
The standard is externally audited in the same way as: Quality, health & safety and environmental standards are audited, so its validity is independently guaranteed. The British Standards Institute audits Cadweb.net bi-annually.
To get an up to date list of everyone who is certified to this standard you can search the ‘Certificate Register’ at http://www.iso27001certificates.com.
One requirement of ISO 27001 Information Security Management is that a rigorous audit trail is created every time a file is either sent or received. This guarantees that files cannot be tampered with, that ‘what you send is received’ (WYSIR), and that every file is reliably logged. This is essential for systems that rely on the internet, which is a ‘Public’ Network which no one organisation controls, for the transmission of audited files.
Many insurers now recognise the benefits derived from storing electronic information on an ISO 27001 Information Security Management certified system. Insurers will now require that if you are going to depend upon electronically stored information and not go to the expense of making hardcopy archives you need to be able to demonstrate that your electronic archive could not have been tampered with (Most cases are looking at information more than 5 years old). To do this the system on which the evidence is stored should be certified to ISO 27001 Information Security Management
BS 10008 defines current technical best practice. It covers system planning, implementation and the procedures for using a system. On the technical side it stipulates how data should be stored BIP 0008-1; Transferred BIP 0008-2 and Linked BIP 0008-3. It also focuses on the importance of setting up authorised procedures and being able to demonstrate in court that these procedures have been followed.
Legal admissibility concerns whether or not a piece of evidence would be accepted by a court of law. To ensure the admissibility, information needs to be managed by a secure system throughout its lifetime (which can be for many years). Where doubt can be placed on the information, the evidential weight may well be reduced, potentially harming the legal case.
BS 10008 ensures that any electronic information required as evidence of a business transaction is afforded the maximum evidential weight. The process is based on the specification of requirements for planning, implementing, operating, monitoring and improving the organization’s information management systems.
What is BS 10008?
BS 10008 is the British Standard that specifies the requirements for the implementation and operation of electronic information management systems, and to the electronic transfer of information from one computer system to another, addressing issues relating to the authenticity and integrity of the electronic information. These issues are important where the electronic information could be used as evidence.
BS 10008 also specifies the requirements for the management of the availability of the electronic information over time.
BS 10008 addresses issues related to electronic identity verification, including the use of electronic signatures and electronic copyright systems, as well as the linking of electronic identity to particular electronic documents.
The requirements specified in BS 10008 are generic and apply to any corporate body, large or small, whatever the nature of its business. The extent of application of these requirements depends on the corporate body’s operating environment and complexity.
It applies to electronic information in any form.
Alan Shipman, Chairman of the BSI committee responsible for the development of BS 10008, said: “The new standard is an important step in ensuring the admissibility of evidence in the UK. It has been developed by a wide range of experts in the field of document management as a specification of good practice”.
What does the standard include?
The management of electronic information over long periods, including through technology changes, where information integrity is vital
How to manage the various risks associated with electronic information
How to demonstrate the authenticity of electronic information
The management of quality issues related to document scanning processes
The provision of a full life history of an electronic object throughout its life
Electronic transfer of information from one computer system to another
Covers policies, security issues, procedures, technology requirements and auditability of electronic document management systems (EDMS)
