"There's a continuum of information security standards that goes all the way from the level of generality that a board of directors should deal with, down to the level for enterprise management, to operating divisions, all the way down to the detailed operational steps that one has to take to configure firewalls, routers and so on," Kreitner says. "But the continuum tends to be broken. It's a series of perspectives that are not generally connected."

Ready or Not, Here They Come

For security management, at least, the ISO 17799 standard is the one most widely accepted. That's not saying much. In fact, the best measure of its success may be that other standards bodies are trying to compete with the ISO specifications without explicitly contradicting them. Widely used in the United Kingdom and Pacific Rim, ISO 17799 still hasn't gained traction in the United States. A users group (www.xisec.com) lists just three organizations in the United States that have been certified by the British Standards Institute as being BS 7799 compliant. And even its biggest American boosters admit that it's flawed. "It's not perfect," says Giga Information Group Research Director Michael Rasmussen, "but it's the most widely adopted. You can follow other best practices, but this puts everything together in one spot, and it's internationally recognized. Wherever I go, people are asking about it."

Nevertheless, 17799 was born of the Geneva, Switzerland-based ISO with marks against it. Fast-tracked through the approval process in August2000, ISO 17799 had the support of many small countries but only one of the large G7 nations - the United Kingdom, where it was born as BS7799. Canada already had its own competing standard. So did Germany. So, of course, did the United States, with the NIST publications. None of the large countries wanted to throw its weight behind a competing standard. Critics charged that ISO 17799 was passed too hastily, written unevenly and lacked sufficient guidance - that it told managers what to do without telling them how to do it.

At First Data, one subsidiary that deals with global Internet commerce had a Big Five consultancy audit it against the ISO requirements, says CISO Phil Mellinger. Mellinger, who is trying to make the company's security requirements ISO-compatible, says the document itself just wouldn't work for most of the $7.6 billion Denver-based financial services company. "We see it as sort of an outline of what a business should address, but it's not detailed enough or specific enough for our business," he says. "You know how it is when you write documents through consensus."

Opponents also said that the document made it seem as if security were just a list of to-dos, rather than an ongoing process. The solution was a rather superficial one. All the checklist-type material was placed in an appendix at the back of the document. And that didn't address the most fundamental criticism of all: That ISO 17799 shouldn't be a standard, only a technical report.