ISO 17799 for SOX Requires Security, Mindset Changes

Although Martha Stewart’s insider trading trial may be the scandal de-jour, combined the Wall Street scandals of the past few years have led to a new challenge for technology executives: complying with complex standards that insure data security and integrity.

The Enron mess, for example, resulted in passage of the Sarbanes-Oxley (SOX) Act of 2002. Which, in turn, has left many publicly-traded companies searching for ways to become compliant with a whole new set of reporting and data integrity standards.

Some are relying on COBIT (Control Objectives for Information and related Technology), while others are looking to compliance applications from financials vendors such as Oracle. But there is another way to attain compliance using ISO 17799, a standard for managing data security comprised of a series of security best practices approved in 2000.

While SOX focuses on financial reporting and disclosure, and the data integrity behind those efforts, it doesn’t require compliance with 17799. But, this route can provide the dual benefits of helping ensure the credibility publicly-held companies crave as well as compliance.

“If you are compliant with 17799, you’ll meet the expectations of SOX,” said Michael Higgins, managing director of the Technology Risk Management practice for Tekmark Global Solutions who also teaches computer security and business continuity operations at The George Washington University. That’s why CIOs at large publicly-held companies often lead the charge for 17799 compliance.