A Standard Among Standards

In sports you sometimes hear the phrase, “man among men.” It usually means a player stands out from the rest as being bigger, stronger or faster. In basketball it would be Wilt Chamberlain or Shaquille O’Neal. In football it would be “Mean” Joe Greene or Ray Lewis. My goofy mind somehow applied this to information security. Wouldn’t it be nice if there was a “standard among standards”?

I’m most familiar with the Payment Card Industry Data Security Standard, which many consider to be the most rigorous. I’ve always been surprised that even the card issuers themselves treat it like paying taxes. They only do it because they have to. Similarly, those same card issuers often don’t require their vendors to be PCI compliant. I know because I was one of those vendors. The checklist would include things like audited financial statements, schedule of insurance, privacy policy, and SAS70/SSAE16 report. But only half the time was I asked for our PCI Attestation of Compliance.

Even worse, I sometimes found myself chasing other standards to enable business lines in our rewards-based programs. For example, meeting certain HIPAA requirements in order to partner with healthcare providers. Nearly all States now have laws on PII. If you do any work for the Federal government, FISMA regulations come into play. If you want to take a company public on an American stock exchange, SOX comes into play. In fact, every major entity whose livelihood would be endangered by a security breach follows one or more of these standards, regulations or legislative acts.

There’s a great deal of overlap. The controls for protecting cardholder data, for example, are very similar to those for protecting patient data. The principles of  security are the same regardless of the type of data being secured. So why can’t there be a “standard among standards”? One gold standard that incorporates the best of each? For any company that works with more than one standard, and there are more of them every month, the cost savings would be huge.

ISO 27001: The Gold Standard

The Gold StandardISO 27001 could be this gold standard. It is a risk-based international standard for information security management systems that requires management to:

  • Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.



Leave a Reply

Your email address will not be published. Required fields are marked *