"Unlike maybe what you might get from one of the consultancies - which I'm sure is fine and very useful - the BS or ISO is recognized, it's known, it's objective," Zoladz says. "People didn't come out and say this, but I sensed that by being able to say this is a well-recognized standard - immediately there was an acceptance - as opposed to if I would have said, Hey, this is consulting firm ABC's best practices. There might have been more discussion about, how did they come up with these, or look what I just got in the mail from consulting firm D."

"Third-party credibility and objective reasons why something needs to be done are important, and standards are sometimes looked at as a way to do that," says Larry Dietz, director of market intelligence at Symantec. "Ever seen the Wizard of Oz? What was the scarecrow's problem? He didn't have a brain. And how did the wizard solve the problem? He gave him a diploma that said he was smart."