11:20 AM
Connect Directly
Repost This

Want To Pass Your Next Security Audit? New Standard May Be The Answer

ISO 27001 positions companies to move quickly when they spot a potential threat.

Much has been made of our inability to prevent cyberattacks. New technology at best slows attackers, forcing them to find other ways of terrorizing victims. Now some tech pros are pointing to an ISO security standard as the answer.

ISO 27001 was approved in October, replacing British Standard 7799-2 as a way to position companies to pass security audits. In certifying to it, companies are in a position to move quickly when they identify a potential problem.

Consulting firm Churchill & Harriman worked with the Federal Reserve Bank of New York to bring its national incident response unit into compliance with ISO 27001, putting the bank ahead of most U.S. businesses. The national incident response unit monitors, analyzes, and escalates information about security threats to the business. Out of necessity, financial services companies lead the way in technology adoption, particularly in security, says Ken Peterson, CEO of the consulting firm.

Of the 2,546 businesses worldwide certified to BS7799-2 or ISO 27001, only 120 operate in the United States. By contrast, 1,517 of the certifications have gone to Japanese companies, the most in any country.

ISO 27001 may help businesses secure cybersecurity insurance, says Barry Kouns, the Churchill & Harriman VP who led his firm's work with the Federal Reserve Bank of New York. "This type of insurance would pay if there was a denial-of-service attack or data theft," he says. To qualify for such insurance, companies must demonstrate that they have security measures and processes in place.

Of course, standards will never be more than a foundation; they don't predict the next bug in Windows or an attacker's ability to exploit that bug. ISO 27001's detractors say it's an expensive process with little guarantee of success in combating the next threat. Standards primarily organize a company's security strategy so that security professionals know what to do to address a particular problem.

Process frameworks such as ISO 27001 are built by committee, "but not all of these ideas are good or have been tested," says Gene Kim, CTO at Tripwire, which makes change-auditing software. "Management has to do something, so they go with what's most popular." Based on his research of successful companies, top performers address specific problems rather than overhauling their entire organization. Says Kim, "It's best to do 20% and get 80% of the results."

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.