Welcome to the SecAware blog

I spy with my beady eye ...

25 Apr 2007

Labour pains for ISO 27002

Like expectant parents, we are anxiously awaiting news of the renaming of ISO/IEC 17799:2005 to ISO/IEC 27002:2007. We are keeping our beady eye (just the one, you understand) on the ISO and BSI websites and all the usual press release outlets. Idly searching Google to distract us from the noise of the labour, we chanced across a Forrester Research report in 2005 that spells out the pros and cons of ISO 17799. Author Michael Rasmussen neatly summarized the benefits of applying accepted good practices in information security management, and the drawbacks of expecting too much from a framework. The ISO standards are necessarily generic guidance, meaning that the nitty-gritty details of risks of concern to, and controls that are required by, any specific organization are left to management and expert advisors. The argument that ISO 17799 is "not specific enough" is widely made but minsunderstands the value and purpose of such international best practice management systems standards.

Anyway, we wil soon be taking up knitting or smoking or something. The tension is killing us.

1 comment:

  1. Oh, honestly. If the ISO isn't "specific" enough for you, you have much bigger problems than certification, or even the use of an ISMS as a standard for developing a controls framework.