Larry, When I began work on the OSSTMM (Open Source Security Testing Methodology Manual (www.osstmm.org) I used the ISO 17799 in the framework because I wanted to be sure that for one, we did complete the most thorough security test possible and for two, because I wanted to make sure we were compliant. That meant that anyone using the OSSTMM would be able to ensure themselves of BS7799 / iso17799 compliancy as well. With the help of some others, we went through through BS7799 step by step, pulling out each and reference that we could include in sec testing-- and we noticed that for us, not much applied. The OSSTMM is a manual designed for the testing of security from the outside getting in and the BS 7799 focused on mostly internal policy/procedure/best practices auditing. Although the guide gave us much help and ideas, it was lacking in the area we really needed it for-- it was lacking in the testing of security controls, measures, and procedures from the outside to the inside.
I hope that helps. Sincerely, -pete. -----Original Message----- From: Lawrence Walsh [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 17:35 To: [EMAIL PROTECTED] Subject: BS 7799/ISO 17799 Hello all, I'm seeking comments from security professionals and organizations that have either considered, adopted or gained certification under BS 7799/ISO 17799. Specifically, I'd like to hear about people's experience going through the adoption/certification process, why they chose to use 7799 as a framework or a standard, and whether it was worth it. I'd like to hear from people who've looked at 7799 and decided against using it. Things I'd like to hear are why it's not worth adopting, problems in its standards (too broad, too specific, etc.) and so forth. Additionally, I'd like to hear from those people who've found alternatives to 7799. What are they and why are they better than 7799? Finally, I'd be interested in people's thoughts about the creation of a "one-size-fits-all" standard for Information Security. Is such a thing possible? Will 7799 eventually evolve into such a standard? Or will there be another standard that attempts to encompass everything about IT security? I appreciate any assistance the members of this list can lend. Thanks, Larry Walsh Managing Editor Information Security Magazine [EMAIL PROTECTED] www.infosecuritymag.com
