I recently came across an interesting article explaining the concept of ISO 17799/27001 being a control vs. a standard. This is a good write up because it explains that the ISO documents are there as suggestions and guidance based on a risk assessment.
Many times I talk to organizations that appear to be looking to implement the ISO controls, but there is an education gap. In most cases these organizations are not looking to be compliant for an ISO audit but believe they are increasing the company’s security. If you are not looking to be compliant then like all security solutions a risk assessment should be conducted to determine the controls implemented and their priority.
Article:
