Government of Bangladesh Information Security Manual (GoBISM) has been published

Government of Bangladesh Information Security Manual (GoBISM) has been published

Government of Bangladesh Information Security Manual (GoBISM) has been published on 29 February 2016. The Government of Bangladesh Information Security Manual (GoBISM) is the explanations of processes and controls that are important for the protection of Bangladesh Government unclassified information and systems. This manual is intended for use by Bangladesh Government departments, agencies and organizations. The document is made based on International Standards ISO/IEC 27001 and  ISO/IEC 27002.

GOBISM aims at to provide the Bangladesh Government with:

  • Solid, flexible and implementable information security manual that covers every important aspect of information security that needs to be implemented by government agencies in order to ensure the protection of their systems and information
  • A set of information security principles and measures that could be translated into Government legal acts, policies and standards pertaining to Bangladesh information security
  • A solid framework and set of controls for accreditation and certification of government systems
  • A flexible way for risk management based on government agencies needs and priorities
  • A smooth option to expand the GoBISM and make it applicable to classified information, if required


This GoBISM governs information security principles and controls applicable to unclassified information. Classified government information shall have an additional set of principles and controls developed and approved at appropriate level which BCC is planning to do on Second Version.


The controls presented in GoBISM shall be applicable to all government unclassified systems and information. There are mandatory controls (marked red) and recommended controls (marked green) where for mandatory controls, the use, or non use thereof is essential in order to effectively manage identified risk, unless the control is demonstrably not relevant to the respective system. The rational for non use of mandatory controls must be clearly demonstrated to the Accreditation Authority as part of the certification process, before approval for exception is granted. And for recommended controls, the use, or non use thereof is considered good and recommended practice, but valid reasons for not implementing a control could exist. The residual risk of non using recommended controls needs to be agreed and acknowledged by the Accreditation Authority with formal audit-able record of this consideration and decision.


This is a very first initiative to publish a manual on information security in Bangladesh to promote a consistent approach to information assurance and information security across entire Government of Bangladesh. BCC is started distributing the GoBISM to all the government organizations and agencies and it is also now available in BCC website.

It can be downloaded directly from here.

Note: The version has been updated. Latest version can be found here.