Wednesday, 14 September 2005

My employer, Corillian Corporation, announced the other day that it's achieved certification under the international security standard BS7799, which is also the basis for the about-to-be-released ISO17799 standard. Without disclosing anything confidential here, I wanted to write a few of my own personal thoughts about the process and my experience in it, and what I think it means in the real world.

Those of us that have been involved in making this happen - which in the end really means every single person employed by the company - are excited about the achievement. We didn't just work to certify a portion of the company's operations, we did the full-meal-deal. I know that those of us on the security team all feel a real sense of accomplishment and success, while cautiously recognizing that we now have that much more to continue to live up to, now that we've arrived. After all, resting on one's laurels in the security world is a dangerous place to be, and security is a process, not an event.

What does it mean to be certified under the "7799" standard? Simply put, the certification says that the company has put in place a comprehensive security management system and program, and that it has shown evidence through a set of documentation and on-site examinations that it's meeting the complete set of standards without deficiencies. In other words, it means we've proven under close scrutiny that we have a solid security program that we take very seriously, and that it works.

I can't begin to explain the amount of learning I did in the process of doing my part in the effort to attain certification. I can tell you that I am convinced - well beyond the shadow of a doubt - that a strong security program and management system can and does contribute directly to the delivery of high quality of products and services. It's a lot of work to get to the point where certification is even possible, and many people dedicated incredible effort over the course of a couple of years to reach this point, but the value gained through the process is very high.

Every organization that deals with security issues and responsibilities should go through the process of certification under the standard. It would make for a much better operating environment, and would result in better-run companies. And in this day, age and operating environment, where trust and security are of paramount importance to business success, there's almost no excuse not to do so.

Add/Read: Comments [0]
IT Security | Tech
Wednesday, 14 September 2005 16:08:34 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by: [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral]

Comments are closed.