ISO 2700: Security Asleep?

ISO 2700: Security Asleep?
ISO 2700: Security Asleep?

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Sarah D. Scalet 
May 22, 2007

Let=E2=80=99s face it, the ISO security standards--first ISO 17799, which I 
covered in detail back in March 2003 [1], and now ISO 27001 and 27002, 
which are replacing it [2] --are real yawners. I mean, who really wants 
to spend time reading page after page of a standard that no one can make 
you comply with anyway? Would you really have eaten your peas at age 4 
if your mama didn=E2=80=99t make you? Funny thing is, despite the fact that they 
are boring but good for you, the ISO standards may now be turning into 
the sleeper hits of the season.

Nobody is jumping up and down and waving their arms about it. But 
quietly, the standards finally seem to be taking off not only in the 
United Kingdom, their homeland, but in the United States as well. And 
it=E2=80=99s looking like a smart idea. Since my cover story [3] on PCI 
compliance ran last month, I=E2=80=99ve heard from a couple CISOs who maintain 
that PCI compliance was a cinch--because they already followed ISO 17799 
or 2700.

Bruce Wignall, CISO of the Teleperformance Group, which runs 260 contact 
centers, sent me a long e-mail to that effect (which he said we could 
publish). An excerpt:

"... [I]t only took my company 5 months to become PCI compliant compared 
to several years for most companies equivalent in size. The reason for 
our compliance in such a short period of time is we adopted ISO 17799 
security standards as our corporate security foundation a long time ago. 
We did not wait to mature our security infrastructure for a requirement 
that has teeth to it such as PCI. Rather, we embraced ISO and made it 
part of our culture a long time ago. This gave us the opportunity to 
easily adapt to other security standards such as PCI and others without 
much effort. You should be concerned about the maturity of a security 
practice at companies who take 2+ years to receive PCI certification. I 
don=E2=80=99t want my credit card in the hands of those companies...."

Then I had a talk with Patrick A. C=C3=82=C2=BF information security officer of 
Houghton Mifflin, the venerable textbook publisher. He said, in not 
quite so many words, the same thing--that their PCI compliance was 
fairly painless because they already had the underlying processes in 

"[ISO 2700] is very specific. It really helps you manage your security 
program, so it=E2=80=99s a very valuable tool. If you meet those requirements, I 
would that say almost regardless of the regulation, you=E2=80=99re going to pass 


Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2015 CodeGods