Re: iso 17799

[George Capehart <gwc () acm org>]

On Monday 19 July 2004 17:33, Marcus J. Ranum allegedly wrote:
> Paul D. Robertson wrote:
> > As far as I can tell, ISO9000 only really worked for the ISO9000
> > consultants.  Can't see where 17799 is any different.
>
> Well, as George Capehart points out, NIST thinks in
> http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf
> that Common Criteria are better.
>
> I am trying to see if I can mash down REALLY hard on that particular
> button of Paul's....

*ducking tomatoes and meringue pies*

Well, thanks for dragging *me* into this food fight . . .  :>  I agree 
with NIST's criticism of 17799.  Don't know that I am quite comfortable 
that the CC are somehow "better," however.  Smacks of apples and 
oranges to me.  I *will* take the position, though, that if one tries 
to build an Information Security program around 17799, there will be a 
*lot* that is missing . . .  IMHO it just doesn't cover all the bases.

My 0.02 $CURRENCY.

/g

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards