A standard choice

Through a perplexing alphabet soup of choices in security standards, most Middle East enterprises are selecting and working with the ISO/IEC 27000 series of benchmarks, especially the 27001 standard.

  • E-Mail
By  Sathya Ashok Published  April 1, 2008

Through a perplexing alphabet soup of choices in security standards, most Middle East enterprises are selecting and working with the ISO/IEC 27000 series of benchmarks, especially the 27001 standard.

Choosing a security standard is easier said than done. The average enterprise in the Middle East which is looking for an enterprise wide security standard is faced with an absolutely perplexing, alphabet soup of choices that can deter everybody but the keenest.

To add to the confusion, names of standards often get changed, even when the content remains the same, as these moves from one standards body to another.

Most enterprises in the Middle East adopt the ISO 27001 standard to provide them with the necessary base on which to build their security policies and larger strategy.

Security service providers and consultants, such as Kurt Information Security, tend to pick and choose among different standards to form the basis of their practices and procedures. Such companies have a research and development arm which integrates pieces of various standards to form a security matrix for the firm to employ with its customers.

This is not a choice available to most enterprises. For one, standards cost money and for another, integrating the best among standards requires valuable resources, time and capital - none of which an enterprise can or should rightly be expending.

However, enterprises can simplify the choice and implementation of standards with a little effort and background information. And that starts with understanding where standards come from.

The standard source

Standards of security within a particular country are often dictated by home-grown benchmarks put down by national bodies. Such bodies include BSI (British Standards Institution), AFNOR in France (Association Francaise de Normalisation), DIN in Germany (Deutsches Institut fur Normang), BIS in India (Bureau of Indian Standards) and ANSI in the USA (American National Standards Institute).

These standards bodies can set down guidelines across industry sectors and include information security as part of that. Among the lot, BSI's standards have gained global traction as security yardsticks for organisations and is being used by some Middle East enterprises as well.

Then there are industry specific standards, such as the PCI DSS (Payment Card Industry's Data Security Standard), which was developed by credit card companies to provide guidance to organisations which process these cards in order to prevent credit fraud and other security mishaps.

It covers areas such as security policies, procedures, network architecture, software design, management and other critical areas and every industry that processes credit cards globally has to comply with the particular standard in order to avoid being blocked by credit card companies.

However, for a true enterprise-wide security standard, most Middle East enterprises tend to choose the benchmarks developed by ISO/IEC (International Standards Organisation and International Electrotechnical Commission) under its 27000 series. Specifically, they prefer the 27001 standard.

"It is easily one of the fastest growing standards certification that we are seeing here. Adoption levels are extremely high generally and in the Middle East a lot of enterprises are working to get themselves certified," states Theuns Kotze, managing director for BSI Management System in the Middle East and Africa.

Regional enterprises consider ISO/IEC's 27001 certification, more commonly referred to as the ISO 27001, as the baseline for planning and implementing their security strategy. The ISO 27001, which was published in October 2005 and belongs to ISO's 27000 series of standards, was originally the BS7799 which was a long-standing standard since the 90s.

The standard itself is essentially based on the BS7799-2. Its objective is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information security management system."

"ISO/IEC 27001 addresses information security management systems (ISMS) - it is not an IT security standard, but a generic management system standard applicable to all types of organisations. It provides a management systems framework for protecting information, whether it is in electronic or non-electronic form, irrespective of the technology used and irrespective of media used. It is applicable to the application of ICT for business to the extent that it protects the management and operational environment where the ICT is being deployed. Hence the security controls are at a management level not a technical level," says Professor Edward Humphreys, one of the leading experts responsible for the ISO/IEC series of information security management system standards.

Most enterprises in the Middle East adopt ISO 27001 practices to provide them with the necessary base on which to build their security policies and larger strategy.

Though some of them buy the standard, many tend to use documents connected to the standard which are borrowed from a well-known reseller or partner. Many also work at customising the standard in order to make it fit the enterprise's particular needs better.

There remain a large proporition of regional companies which effectively follow the strictures laid down by ISO 27001 but do not proceed to get themselves certified. They often do not want to put in the effort and resources necessary to formalise the fact that they follow the standard. This is also because they believe the certification process is tough.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code