http://www2.csoonline.com/blog_view.html?CID=32939 By Sarah D. Scalet CSO May 22, 2007 Let’s face it, the ISO security standards--first ISO 17799, which I covered in detail back in March 2003 [1], and now ISO 27001 and 27002, which are replacing it [2] --are real yawners. I mean, who really wants to spend time reading page after page of a standard that no one can make you comply with anyway? Would you really have eaten your peas at age 4 if your mama didn’t make you? Funny thing is, despite the fact that they are boring but good for you, the ISO standards may now be turning into the sleeper hits of the season. Nobody is jumping up and down and waving their arms about it. But quietly, the standards finally seem to be taking off not only in the United Kingdom, their homeland, but in the United States as well. And it’s looking like a smart idea. Since my cover story [3] on PCI compliance ran last month, I’ve heard from a couple CISOs who maintain that PCI compliance was a cinch--because they already followed ISO 17799 or 2700. Bruce Wignall, CISO of the Teleperformance Group, which runs 260 contact centers, sent me a long e-mail to that effect (which he said we could publish). An excerpt: "... [I]t only took my company 5 months to become PCI compliant compared to several years for most companies equivalent in size. The reason for our compliance in such a short period of time is we adopted ISO 17799 security standards as our corporate security foundation a long time ago. We did not wait to mature our security infrastructure for a requirement that has teeth to it such as PCI. Rather, we embraced ISO and made it part of our culture a long time ago. This gave us the opportunity to easily adapt to other security standards such as PCI and others without much effort. You should be concerned about the maturity of a security practice at companies who take 2+ years to receive PCI certification. I don’t want my credit card in the hands of those companies...." Then I had a talk with Patrick A. C¿ information security officer of Houghton Mifflin, the venerable textbook publisher. He said, in not quite so many words, the same thing--that their PCI compliance was fairly painless because they already had the underlying processes in place. "[ISO 2700] is very specific. It really helps you manage your security program, so it’s a very valuable tool. If you meet those requirements, I would that say almost regardless of the regulation, you’re going to pass it." [1] http://www.csoonline.com/read/030103/lite.html [2] http://www.csoonline.com/read/020106/iso_evolves.html [3] http://www.csoonline.com/read/040107/fea_pci.html _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Wed May 23 2007 - 23:21:25 PDT