If you deal with information security systems, either as a seller or as a purchaser, you need to be aware of information security standards. This article explains what they are, why they are important, and walks you through the best known information security standards in the field.
What are they and why do they matter?
Anyone responsible for designing or implementing information security systems knows that it can sometimes be difficult to demonstrate the effectiveness of their solutions, either to their organization's decision makers, or to its clients. Decision makers need to know that the budgets they assign are being directed at worthwhile targets, while clients demand the sense of confidence that comes with knowing their sensitive data and confidential details are in safe hands.
While an unblemished security record is important, it will only go so far in fulfilling this requirement. After all, it only takes one breach to knock a hole in that record. And how does a new organization with no history to speak of show that it takes security seriously?
This is where information security standards come in. Just like quality control standards for other industrial processes such as manufacturing and customer service, information security standards demonstrate in a methodical and certifiable manner that an organization conforms to industry best practices and procedures.
There are currently three primary standards in place governing information security. There are slight differences of emphasis between them, but all three address the same primary requirement to codify a quality controlled approach. First among equals is the ISO/IEC27000 series of standards. Bearing the internationally prestigious names of the International Organization for Standardization and the International Electrotechnical Commission, this is the most recognizable standard. Secondly, there is the NIST SP800 group of standards, overseen by the National Institute of Standards and Technology. And finally there is the Information Security Forum's Standard of Good Practice for Information Security.
