Feature
News
5/19/2006
11:20 AM
Connect Directly
RSS
E-Mail
50%
50%

Want To Pass Your Next Security Audit? New Standard May Be The Answer

ISO 27001 positions companies to move quickly when they spot a potential threat.

Much has been made of our inability to prevent cyberattacks. New technology at best slows attackers, forcing them to find other ways of terrorizing victims. Now some tech pros are pointing to an ISO security standard as the answer.

ISO 27001 was approved in October, replacing British Standard 7799-2 as a way to position companies to pass security audits. In certifying to it, companies are in a position to move quickly when they identify a potential problem.

Consulting firm Churchill & Harriman worked with the Federal Reserve Bank of New York to bring its national incident response unit into compliance with ISO 27001, putting the bank ahead of most U.S. businesses. The national incident response unit monitors, analyzes, and escalates information about security threats to the business. Out of necessity, financial services companies lead the way in technology adoption, particularly in security, says Ken Peterson, CEO of the consulting firm.

Of the 2,546 businesses worldwide certified to BS7799-2 or ISO 27001, only 120 operate in the United States. By contrast, 1,517 of the certifications have gone to Japanese companies, the most in any country.

ISO 27001 may help businesses secure cybersecurity insurance, says Barry Kouns, the Churchill & Harriman VP who led his firm's work with the Federal Reserve Bank of New York. "This type of insurance would pay if there was a denial-of-service attack or data theft," he says. To qualify for such insurance, companies must demonstrate that they have security measures and processes in place.

Of course, standards will never be more than a foundation; they don't predict the next bug in Windows or an attacker's ability to exploit that bug. ISO 27001's detractors say it's an expensive process with little guarantee of success in combating the next threat. Standards primarily organize a company's security strategy so that security professionals know what to do to address a particular problem.

Process frameworks such as ISO 27001 are built by committee, "but not all of these ideas are good or have been tested," says Gene Kim, CTO at Tripwire, which makes change-auditing software. "Management has to do something, so they go with what's most popular." Based on his research of successful companies, top performers address specific problems rather than overhauling their entire organization. Says Kim, "It's best to do 20% and get 80% of the results."

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.