Standards, standards and more standards…

I was recently asked to advise a client on what information security standard they should adopt. They had looked at a number fo them, ranging from NIST to Cyber essentials, and had even made a small foray in obtaining and maintaining a couple with a very focussed scope. As part of my work there, they wanted to focus on one that would not only help them be more “compliant” (the normal starting point), but one that would also grow with them and allow them support and enable their clients. To be honest they had a very refreshing view as to the value of certification, and so we worked together well.

What they chose as a result of the workshops I had with them ultimately is neither here nor there, but one of the tasks was to create a simple comparison chart of the major players. “No problems!” I said… “I’ll Google it when I get back to the office” I thought to myself, “easy”. I was surprised to find it was neither easy or on Google.

The only document of use that I did find was from ISACA, entitled “Comparison of PCI DSS and ISO/IEC 27001 standard” written by Tolga Mataracioglu (the link may be behind a paywall, restricted to ISACA members). It is an excellent and in depth article looking at the two standards, mapping the requirements and generally doing a great job of helping the reader to understand the relevant strengths and weaknesses of both standards. However, it was only on the last page, Figure 8, that I saw something that was of value to the executive leadership folks I was presenting. It covered eight parameters and compared them in plain English. This approach is excellent for us “business” infosec people, and I applaud Tolga for this approach.

So I took what had been created already and decided to add to it, for instance other standards and a relative cost indicator, and asked a number of peers for their advice on filling various sections in; here is the finished result:

I like this approach as it breaks down into very terms what leadership need to be concerned with, and how it can be best applied to them.

So my question for this blog is what are your thought? Is this an accurate representation of the standards? Also, what other standards need to be included or other measures? Making this as robust as possible will benefit all of us (and I will be posting it for free download on my website shortly).

Looking forward to your responses and feedback.

Welcome to our Blog!

This page allows us to share our broader thoughts and opinions on the information security industry. Many of the posts will be automatically posted from The Blog posted at Thom’s personal site,

Please do comment and use your social media links; your opinions and thoughts are what help keeps the industry moving forwards.