Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Reader Poll: Do you think ISO?

by Dave Howell on 7/21/2008
Topics: Compliance | Strategy

A couple of weeks ago I posted on the topic of "defining compliance." One of the suggestions raised was that businesses that identify a common control framework, or combination of frameworks, may have an opportunity to significantly reduce costs and redundancies associated with their compliance program. The idea is that rather than approaching each requirement in a silo, and therefore attacking each related security requirement in isolation, it would be better to ensure that the organization is looking more horizontally at the types of security controls that must be enacted in the context of all the requirements that must be met.

More specifically, control frameworks may potentially help a company to address many of the underlying commonalities that exist in terms of the security requirements -- either explicitly stated or implied -- within various compliance requirements. So, in other words, use a common set of controls in order to meet the similar requirements found across regulations (such as SOX and HIPAA), industry requirements (such as PCI), and the requirements levied by partners, customers and internal policies. Now, the question exists: what control framework provides the breadth of coverage to address the varying security controls that may underpin each of these requirements? I'm not here to advocate one or another, but what I can say is that over the past six months or so, there has been a marked up-tick in the number of customers I've spoken with that are looking at the ISO 27000 series.

Interestingly enough, just this week Diana Kelley of SecurityCurve wrote a story for SearchSecurity.com about the very topic. I love the way Diana frames this way of managing security controls as "reduce, reuse, and recycle." That really captures the concept in quite an illustrative manner. I won't spoil Diana's story, but she does make the point that organizations having ISO 27001 certification will likely have many of the technology controls in place necessary to meet, for example, PCI DSS compliance.

I'm going to save more discussion on ISO 27001 for a later post, but would like to close with a "reader poll" of sorts ... I'd love to hear any thoughts on these, or any other related, topics:

  • What is your view of the ISO 27000 series as a common point-of-reference for security controls in the context of compliance?
  • Has your organization adopted ISO 27002, or chosen to become ISO 27001-certified?
  • Do you turn to any other management or control documents, beyond the 27000 series?

Respond in the "Comments" section at www.rsa.com/blog/blog_entry.aspx?id=1311.

Comments

No comments for this blog entry

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication