I recently came across an interesting article explaining the concept of ISO 17799/27001 being a control vs. a standard. This is a good write up because it explains that the ISO documents are there as suggestions and guidance based on a risk assessment.
Many times I talk to organizations that appear to be looking to implement the ISO controls, but there is an education gap. In most cases these organizations are not looking to be compliant for an ISO audit but believe they are increasing the company’s security. If you are not looking to be compliant then like all security solutions a risk assessment should be conducted to determine the controls implemented and their priority.
Very recently I also came across one website which provides a wonderful tool to comply with regulations like ISO 17799 and it also helps in complying with many other regulations also. A crosswalk matrix poster between different regulations of Symantec is a very useful tool for compliance team and risk management office. This poster is crosswalk between: HIPAA, ISO 17799, COBIT 4.0, Sarbanes Oxley, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada) http://www.compliancehome.com/symantec/compliance.html
I’m not too comfortable with recommending a tool to ensure compliance. Let me state that I’m not familiar with the tool that you mentioned other then reading the whitepaper you linked. My experience shows that a tool can’t do the entire job. Do you know what percentage of compliance for ISO 17799 the tool actually provides; or for that fact the other compliance (SOX, etc) percentages? I think a statistic like that would be the most valuable and if there is data to back it up then everyone could benefit.
Hey, very nice site. I came across this on Google, and I am stoked that I did. I will definately be coming back here more often. Wish I could add to the conversation and bring a bit more to the table, but am just taking in as much info as I can at the moment.