Information Security Manual for the Government of Bangladesh (GOBISM)

This report on the development of Information Security Manual for the Government of Bangladesh information (GOBISM) provides a final version of GOBISM. This document is based on International Standards ISO/IEC 27001:2013 and ISO/IEC 27002:2013, which we consider to be best international standards governing information security in organizations and we expect to see the increasing number of organizations implementing those standards in the near future. Besides, the GOBISM follows the framework and controls established in New Zealand Information Security Manual (NZISM)(report on this matter was provided to Bangladesh Computer Council along with the reports on Australian ISM1, UK ISM2 and US ISM3on 9th of February, 2016). We believe that by following best international practices in information security management, merging two outstanding documents (ISO/IEC 270xx standards and New Zealand Information Security Manual) and adapting them for the needs of the Government of Bangladesh we are able to provide the Bangladesh Computer Council with:

1. solid, flexible and implementable information security manual that covers every important aspect of information security that needs to be implemented by government agencies in order to ensure the protection of their systems and information.
2. a set of information security principles and measures that could be translated into Government legal acts, policies and standards pertaining to Bangladesh information security.
3. a solid framework and set of controls for accreditation and certification of government systems
4. a flexible way for risk management based on government agencies needs and priorities
5. a smooth option to expand the GOBISM and make it applicable to classified information, if required

The Government of Bangladesh Information Security Manual (GOBISM) details processes and controls that are important for the protection of Bangladesh Government unclassified information and systems. This manual is intended for use by Bangladesh Government departments, agencies and organizations. Private sector organizations are also encouraged to use this manual. This GOBISM governs information security principles and controls applicable to unclassified information. Classified government information shall have an additional set of principles and controls developed and approved at appropriate level. The controls presented in GOBISM shall be applicable to all government unclassified systems and information. The controls presented in GOBISM are divided into two categories:

Mandatory controls: the use, or‐non‐use thereof is essential in order to effectively manage identified risk, unless the control is demonstrably not relevant to the respective system. The rational for non‐use of mandatory controls must be clearly demonstrated to the Accreditation Authority as part of the certification process, before approval for exception is granted.

Recommended controls: the use, or non‐use thereof is considered good and recommended practice, but valid reasons for not implementing a control could exist. The residual risk of non‐using recommended controls needs to be agreed and acknowledged by the Accreditation authority with formal auditable record of this consideration and decision. System owners seeking a dispensation for non‐compliance with any mandatory controls in this manual must be granted a dispensation by their Accreditation Authority.

To Read the full Guidelines, Please Click Here.