[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] ISO 2700: Security Asleep?
From: InfoSec News <alerts () infosecnews ! org>
Date: 2007-05-24 5:59:17
Message-ID: Pine.LNX.4.61.0705240059060.17342 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://www2.csoonline.com/blog_view.html?CID=32939
By Sarah D. Scalet
CSO
May 22, 2007
Let's face it, the ISO security standards--first ISO 17799, which I
covered in detail back in March 2003 [1], and now ISO 27001 and 27002,
which are replacing it [2] --are real yawners. I mean, who really wants
to spend time reading page after page of a standard that no one can make
you comply with anyway? Would you really have eaten your peas at age 4
if your mama didn't make you? Funny thing is, despite the fact that they
are boring but good for you, the ISO standards may now be turning into
the sleeper hits of the season.
Nobody is jumping up and down and waving their arms about it. But
quietly, the standards finally seem to be taking off not only in the
United Kingdom, their homeland, but in the United States as well. And
it's looking like a smart idea. Since my cover story [3] on PCI
compliance ran last month, I've heard from a couple CISOs who maintain
that PCI compliance was a cinch--because they already followed ISO 17799
or 2700.
Bruce Wignall, CISO of the Teleperformance Group, which runs 260 contact
centers, sent me a long e-mail to that effect (which he said we could
publish). An excerpt:
"... [I]t only took my company 5 months to become PCI compliant compared
to several years for most companies equivalent in size. The reason for
our compliance in such a short period of time is we adopted ISO 17799
security standards as our corporate security foundation a long time ago.
We did not wait to mature our security infrastructure for a requirement
that has teeth to it such as PCI. Rather, we embraced ISO and made it
part of our culture a long time ago. This gave us the opportunity to
easily adapt to other security standards such as PCI and others without
much effort. You should be concerned about the maturity of a security
practice at companies who take 2+ years to receive PCI certification. I
don't want my credit card in the hands of those companies...."
Then I had a talk with Patrick A. CÂ ¿ information security officer of
Houghton Mifflin, the venerable textbook publisher. He said, in not
quite so many words, the same thing--that their PCI compliance was
fairly painless because they already had the underlying processes in
place.
"[ISO 2700] is very specific. It really helps you manage your security
program, so it's a very valuable tool. If you meet those requirements, I
would that say almost regardless of the regulation, you're going to pass
it."
[1] http://www.csoonline.com/read/030103/lite.html
[2] http://www.csoonline.com/read/020106/iso_evolves.html
[3] http://www.csoonline.com/read/040107/fea_pci.html
_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic