[ISN] Security standard boosts consumer confidence

From: InfoSec News (alerts@private)
Date: Thu Feb 15 2007 - 00:11:07 PST


By Giselle Abramovich
DM News
February 14th, 2007

Data breaches are is on everyone's mind.

In fact, data breaches are what triggered a need for ISO 27001, an 
international standard published in October 2005 by the International 
Organization for Standardization and the International Electrotechnical 
Commission. It provides best practice guidance on protecting the 
confidentiality, integrity and availability of information such as 
individuals' bank accounts and health and defense data.

John Rizzi, president/CEO of e-Dialog, spoke with DM News Associate 
Editor Giselle Abramovich about the standard and what he believes is 
marketers' obligation to adhere to the non-mandatory best practice in 
order to ensure consumers' data security.

What is ISO27001?

John Rizzi: ISO 27001 certification focuses strictly on data security. 
The specification requires that a company strictly follow a set of 
stringent business practices and policies that have been developed to 
facilitate data security and systems uptime, limit vulnerabilities, 
mitigate risks and perform other steps to ensure data security.

What does the ISO code of practice preach?

The ISO creates standards across many industries and business functions. 
Each standard is a specification that forms the basis of an external 
third-party verification and certification scheme. More than just a code 
of practice, ISO 27001 puts into place a rigorous system of measurements 
and processes that include physical access restrictions; network 
security; intrusion and virus protection; controls around code changes 
for system stability and business continuity; and requirements for 
auditing, management accountability and continuous improvement. Before 
an organization receives the ISO 27001 certification, it must meet a 
series of exacting requirements and pass a detailed review conducted and 
validated by outside certified experts.

ISO 27001 certification shows that a business has taken proactive and 
preventative measures to protect clients' confidential data.

Do all companies need to comply with these rules?

ISO 27001 is not required by law or a regulation; it is voluntary. 
However, as information technology governance is increasingly recognized 
as a specific area for board and corporate attention, international 
standards related to information security have become one of the 
cornerstones of an effective IT governance framework. According to a 
November 2005 Forrester Research report, "Businesses Can Now Get an ISO 
Security Certification," ISO 27001 is being used by organizations to 
validate the security of a business partner, with some global 
organizations even requiring it before doing business with a company. 
Companies that choose not to pursue this certification can quickly lose 
ground in the global economy to competitors that are willing to get 

Is it costly for a company to implement such a management system?

The ISO 27001 compliance effort typically requires significant resources 
in terms of time, effort and expenditure. The cost can vary widely 
depending on company size and how good its practices were before they 
started the process.

What are the benefits of implementing it from a marketing perspective?

Marketers rely on vast amounts of customer data to make their campaigns 
relevant and highly targeted. The more customer-specific data they can 
collect and utilize to optimize offers, promotions, timing and more, the 
better the results. Therefore, marketers have an obligation to ensure 
the utmost security of their customers' information, and there is no 
better way to uphold that responsibility than with an ISO 27001 

With ISO 27001 and the security assurance it provides, companies can be 
sure their data, including critical customer-specific information used 
in marketing programs, will be protected to the fullest extent possible. 
This helps increase confidence in marketing programs by senior 
management, corporate security officers and internal auditors. 
Furthermore, security and IT data integrity are a competitive advantage 
today and can help protect a company's brand reputation and stock 
valuation. The CMO Council found in a recent survey of more than 2,000 
consumers that "over half would either strongly consider or definitely 
take their business elsewhere if their personal information were 
compromised." The council also cites Emory University researchers who 
found that a company's stock price falls on average 0.63 percent to 2.10 
percent in value following the report of a security breach.

What are some of the challenges that a company may face when 
implementing ISO 27001?

While a dedicated team has to be committed to complete and maintain the 
certification, it is also true that every individual in the company is 
affected. For example, not only are new controls put in place for 
physical security (e.g., the doors are always locked) but every desktop 
and laptop computer is now centrally managed so that only authorized 
software and drivers can be installed, anti-virus/ malware solutions are 
strictly maintained, access can be monitored, passwords are required to 
be updated, idle computers are automatically locked and more.

How would a company go about implementing it?

Without question a company should seek the assistance of an outside 
consulting firm that specializes in ISO certification. They will provide 
detailed guidance that will help the company pass its first test for 

Forrester Research recommends that companies make ISO 27001 
certification a process, not a one-time effort or project. The 
certification requires careful planning, including developing a business 
case, carefully defining the scope, defining metrics for measurement and 
setting a realistic timeframe for certification.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Thu Feb 15 2007 - 00:32:17 PST