Should we aim for ISO27k conformance, alignment, compliance or certification?” A: Yes. Well OK, I guess you want some advice on which way to go?
• Conformance (meaning a general intent to apply the ISO27k standards) is a basic starting point, achievable at little cost for any organization that takes information security seriously. However, the ‘general intent’ bit implies a fair amount of management discretion about which specific parts of the ISO27k set are going to be used, and more importantly to what extent they are to be adopted. Conformance gives little if any assurance to third parties about the organization’s information security status. It’s practically meaningless without further information (for example which ISO27k standards have been implemented, and to what extent? Is the organization merely planning to adopt the ISO27k standards at some future point, or has it already done so?). • Alignment is about as worthless as conformance. It could mean practically anything. • Compliance (meaning a more rigorous, comprehensive and systematic adoption of the ISO27k standards) is the next level which typically involves the org
Related Questions
- Should we aim for ISO27k conformance, alignment, compliance or certification?" A: Yes. Well OK, I guess you want some advice on which way to go?
- What is the difference between a certificate of compliance and a full certification (also known as chemical and physical certification)?
- Can XRF technology be used to support general compliance certification as to lead paint or lead content limits?
