BS7799 delivers for TNT

Business parcel delivery company TNT claims IT security standard accreditation has helped it to win new customers.

The company recently completed a year-long programme to achieve the BS7799 information security standard for its IT department.

TNT has developed a web 'track and trace' function for the 3.6 million parcels it delivers worldwide each week, and says it is vital to demonstrate that it can look after the information securely.

Peter Garfitt, the company's security manager, said BS7799 accreditation had helped reassure customers when bidding for new business.

"A lot of our business is in the higher-value market, which is targeted by the criminal element," he said. "They [customers] ask about what level of information security we provide for their information. That used to require writing detailed reports, whereas now we can just send a four-line statement."

The standard, however, has come under fire both from users and security experts for being too costly and complex to obtain, and for not being flexible enough to accommodate rapidly changing security infrastructures.

But Garfitt said that much of the accreditation work involved educating staff rather than making wholesale technology changes, and that concentrating on one part of the business at a time was a better way of managing it.

"To implement it at key locations is relatively manageable. Our intention is to roll out the standard to our other business units one chunk at a time.

"We went through the process of doing a lot of security awareness for non-IT staff - down to receptionists and security guards, who have a different view but a part to play," he said.

Changes were made to BS7799, which has also been adopted as an international standard, earlier this month to make it easier for businesses to adopt.

But security experts have said that instead of spending money on going for accreditation, large companies should concentrate on technical improvements to their security.

"BS7799 does not cover things like firewalls and intrusion detection systems, so a company that is compliant may still be vulnerable," said Chris McNab, technical director at consultants Matta Security.

"It is a stake in the ground but it comes down to classic risk management, and a large business of more than about 2,000 users is better off investing that money in technical security," he added.