[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] ISO 2700: Security Asleep?


By Sarah D. Scalet 
May 22, 2007

Let’s face it, the ISO security standards--first ISO 17799, which I 
covered in detail back in March 2003 [1], and now ISO 27001 and 27002, 
which are replacing it [2] --are real yawners. I mean, who really wants 
to spend time reading page after page of a standard that no one can make 
you comply with anyway? Would you really have eaten your peas at age 4 
if your mama didn’t make you? Funny thing is, despite the fact that they 
are boring but good for you, the ISO standards may now be turning into 
the sleeper hits of the season.

Nobody is jumping up and down and waving their arms about it. But 
quietly, the standards finally seem to be taking off not only in the 
United Kingdom, their homeland, but in the United States as well. And 
it’s looking like a smart idea. Since my cover story [3] on PCI 
compliance ran last month, I’ve heard from a couple CISOs who maintain 
that PCI compliance was a cinch--because they already followed ISO 17799 
or 2700.

Bruce Wignall, CISO of the Teleperformance Group, which runs 260 contact 
centers, sent me a long e-mail to that effect (which he said we could 
publish). An excerpt:

"... [I]t only took my company 5 months to become PCI compliant compared 
to several years for most companies equivalent in size. The reason for 
our compliance in such a short period of time is we adopted ISO 17799 
security standards as our corporate security foundation a long time ago. 
We did not wait to mature our security infrastructure for a requirement 
that has teeth to it such as PCI. Rather, we embraced ISO and made it 
part of our culture a long time ago. This gave us the opportunity to 
easily adapt to other security standards such as PCI and others without 
much effort. You should be concerned about the maturity of a security 
practice at companies who take 2+ years to receive PCI certification. I 
don’t want my credit card in the hands of those companies...."

Then I had a talk with Patrick A. C¿ information security officer of 
Houghton Mifflin, the venerable textbook publisher. He said, in not 
quite so many words, the same thing--that their PCI compliance was 
fairly painless because they already had the underlying processes in 

"[ISO 2700] is very specific. It really helps you manage your security 
program, so it’s a very valuable tool. If you meet those requirements, I 
would that say almost regardless of the regulation, you’re going to pass 

[1] http://www.csoonline.com/read/030103/lite.html 
[2] http://www.csoonline.com/read/020106/iso_evolves.html 
[3] http://www.csoonline.com/read/040107/fea_pci.html

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com