Business Impact Levels
The UK government used Business Impact Level classifications with suppliers to indicate the security level of the services they may be bidding for. Up until April 2014, when the government changed to a new set of security classifications, IL0 was the lowest level of security (no impact) and IL6 was the highest (extreme impact). In general IL2 used to be the minimum requirement for government contracts and seen as best practice, whereas the next stage IL3 demanded for example enhanced data security including segregated data systems and processes.
The aim of the Business Impact Level is to provide a common set of standards that lead to a consistency when assessing business impact. The impact levels are divided into categories and sub-categories to enable organisations to select which set of criteria is most closely related to the asset under consideration. Where an asset falls under more than one category the assessment is taken based on the worst-case business impact.
To achieve IL accreditation organisations must have their Information Security Management System (ISMS) audited, including the policy itself as well as its scope, procedures and controls in relation the ISMS and full risk assessment reports and methodologies. All ISO27001 documentation is reviewed, as well as facility design and architectural information.
IL accreditation is not a one-off certification process, it has a system of continual improvement, preventative and corrective actions built into the classification to ensure it remains up-to-date and relevant at all times.
In the new classification system there are three types: official, secret and top secret.