ISO 17799, NIST and More: Guiding Lites

In the paranoid security world, even an accepted certification system would hardly inspire the kind of proud "ISO 9000 Certified" banners that hang from manufacturing plants across the country. But it would make the standard, well, a bit more standard.Same Beginning, Same EndIn the meantime, those who have studied all the standards say that it might not matter so much which one companies choosejust that they pick a set of best practices and try to follow them. "You pay your money, and you take your choice," says 4FrontSecurity's Crutchley (who, just for the record, is a Brit who's a certified BS 7799 auditor). "They all have the same beginning and the same end. You always end up with the best practices. It's just the way they're being approached. Pick one, and work with it."

Not that it will be the most exciting thing you ever do. Far from it. "It's a boring job to do this, to be quite honest," Crutchley warns. "Unbelievably boring."

It's also a lot of workat least that's what Chris Zoladz, vice president of information protection at Marriott, discovered when he started using ISO 17799. "It's very inclusive, very comprehensive, and it can at first be overwhelming because of the size and number of areas that are covered," he says.

To cope, Zoladz created a document based on the structure of ISO 17799 and then added in the details as best he could. Next, he distributed pieces of the document to different people in the business who had expertise in a particular area, like sales or physical security. Once he got answers back, he created a master document that he distributed to the group for further feedback. Now, the document gets reviewed and updated once a year to help him set priorities.

The end result, Zoladz admits, isn't so different from what he might have gotten by following any list of best practices. The ISO label just made it a little easier for him to get others to participate.

"Unlike maybe what you might get from one of the consultancieswhich I'm sure is fine and very usefulthe BS or ISO is recognized, it's known, it's objective," Zoladz says. "People didn't come out and say this, but I sensed that by being able to say this is a well-recognized standardimmediately there was an acceptanceas opposed to if I would have said, Hey, this is consulting firm ABC's best practices. There might have been more discussion about, how did they come up with these, or look what I just got in the mail from consulting firm D."

"Third-party credibility and objective reasons why something needs to be done are important, and standards are sometimes looked at as a way to do that," says Larry Dietz, director of market intelligence at Symantec. "Ever seen the Wizard of Oz? What was the scarecrow's problem? He didn't have a brain. And how did the wizard solve the problem? He gave him a diploma that said he was smart."