C2004-06 Electronic Information Security - Certification to AS/NZS 7799

Premier's Circular 2001-46 requires all agencies to take particular steps to safeguard their electronic information. It includes the goal of certification to the national standard AS/NZS 7799 Information security management. When Circular 2001-46 was issued there was no accredited certifier. Since then SAI Global as been accredited and joined common use contract ITS 2319. Several agencies have been certified and others are in the process of becoming so. From this experience it is now possible to set target dates for certification.

The critical step to certification is establishing a Security Framework comprising:

• A framework document that describes the scope of the information-related operations including the people, places and services that are included in the framework, and indicates risk tolerance and priorities
• An Information Security Policy
• A Threat and Risk Assessment
• A Statement of Applicability that describes how AS/NZS 7799 controls will be applied as a result of the Risk Assessment

Agencies are recommended to discuss an appropriate approach to framework development with SAI Global. All agencies are to establish the Security Framework for their initial certification, with an internally approved implementation plan, by 31 December 2004.

The extent of initial certification depends on the size and organisational complexity of the agency. For smaller agencies it should be their complete organisation and full certification. For larger agencies it should be a pilot certification, typically focusing on core IT services. This initial certification is to be completed by 30 September 2005.

Agencies that take the pilot certification path are to complete their full certification by 30 June 2006. Full certification does not mean that comprehensive controls have to be in place for insignificant risks. All unacceptable risks are to be treated in order to reduce their likelihood or mitigate their consequences. Appropriate full risk treatments are to be implemented in accordance with agency priorities.

Having been initially certified, agencies are to maintain their certification with an accredited certifier and appropriately extend its coverage to areas of lower priority risk.

Where an agency's IT and related information services are provided by another agency, then they will need to consider a joint approach to certification and document it as part of the security framework. It may be appropriate to handle client certification as part of full certification.

C Gellatly
Director-General

__________________________________

Superseded by M2007-04