In sports you sometimes hear the phrase, “man among men.” It usually means a player stands out from the rest as being bigger, stronger or faster. In basketball it would be Wilt Chamberlain or Shaquille O’Neal. In football it would be “Mean” Joe Greene or Ray Lewis. My goofy mind somehow applied this to information security. Wouldn’t it be nice if there was a “standard among standards”?
Even worse, I sometimes found myself chasing other standards to enable business lines in our rewards-based programs. For example, meeting certain HIPAA requirements in order to partner with healthcare providers. Nearly all States now have laws on PII. If you do any work for the Federal government, FISMA regulations come into play. If you want to take a company public on an American stock exchange, SOX comes into play. In fact, every major entity whose livelihood would be endangered by a security breach follows one or more of these standards, regulations or legislative acts.
There’s a great deal of overlap. The controls for protecting cardholder data, for example, are very similar to those for protecting patient data. The principles of security are the same regardless of the type of data being secured. So why can’t there be a “standard among standards”? One gold standard that incorporates the best of each? For any company that works with more than one standard, and there are more of them every month, the cost savings would be huge.
ISO 27001: The Gold Standard
ISO 27001 could be this gold standard. It is a risk-based international standard for information security management systems that requires management to:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
- Information Security Relief is Spelled ISO-27001. An article written by John Verry, published in Info Sec Island. Mr. Verry also believes ISO 27001 could serve as an overarching standard.
- ISO/IEC 27001:2005. Detailed publication from the International Organization for Standardization.
- An Introduction to ISO 27001. A lighter version of the above.