Same Beginning, Same End

In the meantime, those who have studied all the standards say that it might not matter so much which one companies choose - just that they pick a set of best practices and try to follow them. "You pay your money, and you take your choice," says 4FrontSecurity's Crutchley (who, just for the record, is a Brit who's a certified BS 7799 auditor). "They all have the same beginning and the same end. You always end up with the best practices. It's just the way they're being approached. Pick one, and work with it."

Not that it will be the most exciting thing you ever do. Far from it. "It's a boring job to do this, to be quite honest," Crutchley warns. "Unbelievably boring."

It's also a lot of work - at least that's what Chris Zoladz, vice president of information protection at Marriott, discovered when he started using ISO 17799. "It's very inclusive, very comprehensive, and it can at first be overwhelming because of the size and number of areas that are covered," he says.

To cope, Zoladz created a document based on the structure of ISO 17799 and then added in the details as best he could. Next, he distributed pieces of the document to different people in the business who had expertise in a particular area, like sales or physical security. Once he got answers back, he created a master document that he distributed to the group for further feedback. Now, the document gets reviewed and updated once a year to help him set priorities.

The end result, Zoladz admits, isn't so different from what he might have gotten by following any list of best practices. The ISO label just made it a little easier for him to get others to participate.