I just completed a major assessment for a globally-based client in which I compared their security practices (policy, standards, guidelines, and SOPs) against those recommended by 7799.
From that experience, I would assert that the ISO is an excellent *starting* point for an organization, depending upon the business's objectives and requirements. The ISO contains a good shell of information, yet lacks depth in new technologies (VPN, Remote Access, Wireless) and recently focused-upon needs such as Business Continuity/Disaster Recovery. It is comprehensive in many ways, however, and has definite worth in guiding security professionals within an organization towards establishing an appropriately built framework. With regards to whether it is too broad/too specific: I would contest that there is no magic bullet for security framework. The ISO covers many bases, sometimes without depth. I find this acceptable, however, because with depth comes specificity that may not match the particular business needs of an organization. The ISO is really a Practice recommendation with information about what policies should exist in an organization. Beyond that, each company must build it's own framework (standards, guidelines, SOPs) to address their specific needs. Bottom line: There is a one-size-fits-all, yet unless you enjoy wearing really loose underwear, you probably ought to have your one-size-fits-all tailored .... Tate -- C. Tate Baumrucker CISSP, CCNP, Sun Enterprise Engineer, MCSE Senior Consultant Callisma http://www.callisma.com Lawrence Walsh wrote: > >Hello all, > >I'm seeking comments from security professionals >and organizations that have either considered, >adopted or gained certification under BS 7799/ISO >17799. > >Specifically, I'd like to hear about people's experience >going through the adoption/certification process, why >they chose to use 7799 as a framework or a >standard, and whether it was worth it. > >I'd like to hear from people who've looked at 7799 and >decided against using it. Things I'd like to hear are >why it's not worth adopting, problems in its standards >(too broad, too specific, etc.) and so forth. > >Additionally, I'd like to hear from those people who've >found alternatives to 7799. What are they and why >are they better than 7799? > >Finally, I'd be interested in people's thoughts about >the creation of a "one-size-fits-all" standard for >Information Security. Is such a thing possible? Will >7799 eventually evolve into such a standard? Or will >there be another standard that attempts to >encompass everything about IT security? > >I appreciate any assistance the members of this list >can lend. > >Thanks, >Larry Walsh >Managing Editor >Information Security Magazine >[EMAIL PROTECTED] >www.infosecuritymag.com >
