Overview:

In Nemertes' latest research benchmark, "Service Oriented Architectures
and Applications," a resounding 90.6% of participants say that compliance requirements directly affect their SOA. In fact, we know
that compliance requirements directly affect all aspects of IT.

The heart of regulatory compliance is the establishment of a strong
IT security framework, based on security standards. The ideal IT
security standard must be flexible to adapt to the unique requirements
of the business, yet rigid enough to provide actionable advice. The
most widely adopted standard for security is ISO 270001/27002 (formerly
ISO 17799). ISO 27001/27002 is an excellent security standard that
offers high-level guidance for risk management and establishment of
security controls. However, its high-level approach leaves a lot of
room for interpretation by the enterprise IT security staff.

Another set of standards, the National Institute of Standards and
Technology (NIST)800-Series provides direction for federal agencies to
implement the security controls necessary to protect government assets.
Unlike ISO 27001/27002, the NIST recommendations tend to be more
prescriptive and granular and thus, more rigid. Ironically, given that
ISO is an international standard and NIST is a federal government, the
potential value of these two standards are often overlooked by North
American IT shops.

To address this issue, Nemertes Research Analyst, Ted Ritter has
recently published a paper comparing and contrasting the two standards
series: "Reaching Out to Protect Within: Comparing and Contrasting ISO
27001/27002 and NIST Special Publication 800-Series Information
Security."

This paper successfully pulls from both sets of standards to create
a combined security framework that is both flexible - to support
changing business needs - yet, prescriptive enough to be actionable.

Read this Study: Reaching out to Protect Within: Comparing and Contrasting ISO and NIST Information Security Standards

Non Clients:
Nemertes Issue Papers an Studies are available to clients only. If you're not a client and would like to receive a copy of the Issue Paper, please contact us.