11:20 AM

Want To Pass Your Next Security Audit? New Standard May Be The Answer

ISO 27001 positions companies to move quickly when they spot a potential threat.

Much has been made of our inability to prevent cyberattacks. New technology at best slows attackers, forcing them to find other ways of terrorizing victims. Now some tech pros are pointing to an ISO security standard as the answer.

ISO 27001 was approved in October, replacing British Standard 7799-2 as a way to position companies to pass security audits. In certifying to it, companies are in a position to move quickly when they identify a potential problem.

Consulting firm Churchill & Harriman worked with the Federal Reserve Bank of New York to bring its national incident response unit into compliance with ISO 27001, putting the bank ahead of most U.S. businesses. The national incident response unit monitors, analyzes, and escalates information about security threats to the business. Out of necessity, financial services companies lead the way in technology adoption, particularly in security, says Ken Peterson, CEO of the consulting firm.

Of the 2,546 businesses worldwide certified to BS7799-2 or ISO 27001, only 120 operate in the United States. By contrast, 1,517 of the certifications have gone to Japanese companies, the most in any country.

ISO 27001 may help businesses secure cybersecurity insurance, says Barry Kouns, the Churchill & Harriman VP who led his firm's work with the Federal Reserve Bank of New York. "This type of insurance would pay if there was a denial-of-service attack or data theft," he says. To qualify for such insurance, companies must demonstrate that they have security measures and processes in place.

Of course, standards will never be more than a foundation; they don't predict the next bug in Windows or an attacker's ability to exploit that bug. ISO 27001's detractors say it's an expensive process with little guarantee of success in combating the next threat. Standards primarily organize a company's security strategy so that security professionals know what to do to address a particular problem.

Process frameworks such as ISO 27001 are built by committee, "but not all of these ideas are good or have been tested," says Gene Kim, CTO at Tripwire, which makes change-auditing software. "Management has to do something, so they go with what's most popular." Based on his research of successful companies, top performers address specific problems rather than overhauling their entire organization. Says Kim, "It's best to do 20% and get 80% of the results."

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 Digital Issue, April 2015
The 27th annual ranking of the leading US users of business technology
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join the editors for a roundup of the top stories on InformationWeek.com for the week of May 24, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.