• United States



sarah d_scalet
Senior Editor

So Many Standards, So Little Time

Mar 01, 20032 mins
ComplianceCSO and CISOData and Information Security

British Standard 7799 Part 1 From the British Standards Institute, it is high-level security advice widely used in the United Kingdom and elsewhere. Critics contend that it makes security seem like a checklist, not a process.

British Standard 7799 Part 2 Also from the British Standards Institute, BS 7799 Part 2 is similar to Part 1 but with fewer suggestions for implementation. The document says that organizations “shall” do things, not that they “should,” which means companies can be certified against it.

ISO 17799 Based on BS 7799, this standard was hurriedly passed in 2000 by the Geneva, Switzerland-based International Organization for Standardization (which goes by the acronym ISO, for obscure reasons) and is currently being revised. People love it and hate it for the exact same reasons: It tells you what to do but not how to do it. Despite the fact that it’s called a standard, it functions more like a guideline, with wording that companies “should” do things, not that they “shall.” Companies cannot be certified against ISO 17799.

ISO Guidelines for the Management of IT Security Known as GMITS, this is a five-part technical report from ISO. It’s currently being edited, in part to make sure it doesn’t contradict ISO 17799.

NIST Special Publication 800-14 This document gives Generally Accepted Principles and Practices for Securing Information Technology Systems from the U.S. National Institute of Standards and Technology. This set of guidelines is based on BS 7799, but it is more detailed. Other related NIST Special Publications are 800-12, The Computer Security Handbook; and 800-26, The Security Self-Assessment Guide for Information Technology Systems.

Generally Accepted Systems Security Principles Known as GASSP, this standard being created by the Information Systems Security Association aims to be security’s answer to the Generally Accepted Accounting Principles from the Financial Accounting Standards Board, which is widely used in the United States. GASSP is being renamed the Generally Accepted Information Security Principles (GAISP).