The U.S. Government Supporting Standards? (that they didn’t invent!)
July 18, 2007

By Jim Reavis

This tidbit may not rank up there with curing polio or the invention of YouTube, but I think it is pretty significant - you decide.  It hasn’t been announced yet, but folks in DC tell me that NIST (the National Institute for Standards and Technology) is working on a project to map between the ISO (International Organization of Standardization) 27001 certification standard for information security management systems requirements and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems.  Folks tell me that the goal of this is to come up with an ISO 27001 certification that is acceptable to the Feds to allow government agencies to comply with the Federal Information Security Management Act (FISMA).

NIST 800-53 is good stuff, in fact I know of several private sector companies who use it as the framework for their information security programs.  The problem with standards are that there are too many of them.  The world changed significantly when we dumped an alphabet soup of networking protocols such as DECnet, OSI, IPX/SPX, Netbeui for just one: the Internet Protocol, or IP.  I don’t see NIST as bailing on all the good work of 800-53, I see them translating it into the flexible format of ISO 27001.  Federal agencies will have a more efficient means of complying with FISMA, and the rest of the world has a stronger ISO 27001 to leverage within their security programs.

Could this be the domino that creates a regulatory standardization chain reaction?  Could ISO 27001 become the default framework for IT auditors, and the way forward for SOX 404 compliance?  Japan has already figured this out, and has roughly 2,000 27001-certified companies as opposed to about 60 in the U.S.  Nothing happens overnight, but replacing security prescriptions inside of regulations with a pointer to international standards will be a great thing.  Businesses will spend less on compliance and more on their business.  Security gaps will be reduced in business-to-business and government-to-business communications.  Perhaps we will all be able to focus on real problems and not so much on the checklists.  

Share and Enjoy:
  • Slashdot
  • Digg
  • del.icio.us
  • Reddit
  • digg
  • Technorati
  • StumbleUpon
By Jim.Reavis • 27001, Articles • •

Leave a Reply


 Sidebar
  • Pages
  •  
    July 2007
    M T W T F S S
    « Jun   Aug »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Archives
  • Categories
  • Meta

    • copyright 2008 reavis consulting group, llc

    all postings and articles are owned and the copyright is held by the author, all opinions expressed are held by same.

    Riskbloggers is proudly powered by WordPress
    Entries (RSS) and Comments (RSS).

    design by | live | life | loud |