"When the U.K. brought BS 7799 to ISO, many international bodies would have been very agreeable to having that document become a technical report as opposed to a standard," says Alicia Clay, program manager for information security outreach with NIST, who is a representative on the committee that edits ISO 17799. "The expectation of a technical report is that it's more of a guideline. ISO 17799 reads more like a technical report, but technical reports tend not to carry the same kind of weight. People don't generally talk about conformance to reports."

The thing is, they don't talk about conformance to ISO 17799 either. Because of subtle differences in wording between the documents, companies can be certified against BS 7799 but not ISO 17799.Consultancies that offer ISO 17799 validation and certification have, by necessity, altered the standard or opted to use BS 7799 instead. Thus, practices are based on ISO 17799 - which tells companies they "should" take certain actions, rather than BS 7799, which says they "shall" do things - but not compliant with it. "Normally for a standard, you would say, A company shall do this and shall do that," Clay says. "It's really clear. You're conforming to a standard [like BS 7799] if you're conforming to the 'shall' statements. You may hear people say that they're 'complying' with 17799. They aren't, really, unless they're changing all those 'shoulds' to 'shalls."

When asked why the standard is set up that way, Clay lets out a long chuckle. "That," she answers, "is the question that is much debated." In fact, an ISO committee that is revising the standard again - it's common for new standards to undergo continual revision - will meet in Quebec in April, and one of the questions on the table is whether IS should develop a standard that could support a certification system.

Clay doesn't want to put herself in one camp or the other, but the U.S. attitude toward ISO 17799 tends to be one of resignation. "One of the reasons why the U.S. is so actively working on it is so that, if something does come of it, it's something U.S. business can live with," Clay says. "Whether we were ready for it or not, we now have a standard. It starts to be a good thing that 17799 is not definitive because then it would be more difficult to work with."

In the paranoid security world, even an accepted certification system would hardly inspire the kind of proud "ISO 9000 Certified" banners that hang from manufacturing plants across the country. But it would make the standard, well, a bit more standard.