Cyber Security Institute

Friday, May 18, 2007

ISO 2700—Security Sleeper

Let’s face it, the ISO security standards—first ISO 17799, which I covered in detail back in March of 2003, and now ISO 27001 and 27002, which are replacing it—are real yawners.  Would you really have eaten your peas at age 4 if your mama didn’t make you?  Funny thing is, despite the fact that they are boring but good for you, the ISO standards may now be turning into the sleeper hits of the season.

Since the author’s cover story on PCI compliance ran last month, he has heard from a couple CISOs who maintain that PCI compliance was a cinch—because they already followed ISO 17799 or 2700.  “This gave us the opportunity to easily adapt to other security standards such as PCI and others without much effort.”

You should be concerned about the maturity of a security practice at companies who take 2+ years to receive PCI certification.  I don’t want my credit card in the hands of those companies….

Then, this morning, the author had a talk with Patrick A. Côté, information security officer of Houghton Mifflin, the venerable textbook publisher.  He said, in not quite so many words, the same thing—that their PCI compliance was fairly painless because they already had the underlying processes in place.

http://blogs.csoonline.com/iso_2700_securitys_sleeper