ISO 2700: Security Asleep?

The ISO security standards--first ISO 17799, which is being replaced by ISO 27001 and 27002--are real yawners.

Let’s face it, the ISO security standards—first ISO 17799, which I covered in detail back in March 2003, and now ISO 27001 and 27002, which are replacing it—are real yawners. I mean, who really wants to spend time reading page after page of a standard that no one can make you comply with anyway? Would you really have eaten your peas at age 4 if your mama didn’t make you? Funny thing is, despite the fact that they are boring but good for you, the ISO standards may now be turning into the sleeper hits of the season.

Nobody is jumping up and down and waving their arms about it. But quietly, the standards finally seem to be taking off not only in the United Kingdom, their homeland, but in the United States as well. And it’s looking like a smart idea. Since my cover story on PCI compliance ran last month, I’ve heard from a couple CISOs who maintain that PCI compliance was a cinch—because they already followed ISO 17799 or 2700.

Bruce Wignall, CISO of the Teleperformance Group, which runs 260 contact centers, sent me a long e-mail to that effect (which he said we could publish). An excerpt:

"It only took my company 5 months to become PCI compliant compared to several years for most companies equivalent in size. The reason for our compliance in such a short period of time is we adopted ISO 17799 security standards as our corporate security foundation a long time ago. We did not wait to mature our security infrastructure for a requirement that has teeth to it such as PCI. Rather, we embraced ISO and made it part of our culture a long time ago. This gave us the opportunity to easily adapt to other security standards such as PCI and others without much effort. You should be concerned about the maturity of a security practice at companies who take 2+ years to receive PCI certification. I don’t want my credit card in the hands of those companies..."

Then I had a talk with Patrick A. Cote, information security officer of Houghton Mifflin, the venerable textbook publisher. He said, in not quite so many words, the same thing—that their PCI compliance was fairly painless because they already had the underlying processes in place.

"[ISO 2700] is very specific. It really helps you manage your security program, so it’s a very valuable tool. If you meet those requirements, I would that say almost regardless of the regulation, you’re going to pass it."

Sounds to me like your mama was right, and eating your peas can pay off.

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)