Following HMRC's data loss, the BSI has restated the role of standards in information security and data protection

‘The events of the last couple of days will force many organizations to reassess their handling of valuable data. A range of British Standards in this area can provide a structured approach to information security and data protection. Specific guidance and the opportunity for independent 3rd party certification are also available,’ said Mike Low, director of BSI British Standards.

‘Last year 62% of businesses reported information security issues but with a range of international standards, detailed guidance, certification and training available, there are well established business tools available to all types of organisations to manage such risks.’

Making sure the right people, processes, procedures and technology are in place is key to the protection of information assets, said BSI. BS ISO/IEC 27001 is a certifiable standard which means an organization of any size, sector or function can seek independent 3rd party verification of its information management performance.

The BSI said its data protection guide (BIP 0012) was prepared with the assistance of the Office of the Information Commissioner and UK industry. It provides practical guidance on implementing the Data Protection Act (1998) Legislation and deals specifically with areas such as email policy, database management, subject access and e-commerce.

BSI foresees more work on a new data protection standard which will provide organizations with a method of assessing and demonstrating their compliance with the requirements of the Data Protection Act (1998).

Low said, ‘We are actively engaged with the Information Commission and many other local and global stakeholders to deliver a comprehensive range of standards based business tools that provide not only advice, but effective implementation of best practice in this area.’

‘A key point in any business for ensuring that it manages such risks is not just using the standard, but ensuring it is embedded into the organization and demonstrating, through independent and regular assessment, that their processes and capabilities are kept up to date.’