Thanks to all of you who answered my earlier question, learnt a lot from the
answers.

Most places on the web would sell me the ISO 27001 official standard for
about 200$. The ANSI site sells the same standard at 30$. Why do we have
such a wide fluctuations in prices. At the end of the day I get the same PDF
file or is there any difference.

For a newbie like me can someone point to sites/links/groups/articles which
discuss/debate/analyze issues/pitfalls/benefits etc regarding IT security
certifications. I checked Amazon and they did not have too many books. Any
pointers would be highly appreciated.

Is the following equation correct
ISO27001 = ISO 17799 + 12 pages of ISO 270001
Pages 13 onwards of the ISO 27001 standard are a summary of controls from
ISO/IEC 17799

Am I right in assuming that the controls specified in ISO 17799 are more
managerial than technology. For example section 10.4.1 which is the control
on malicious code. The implementation guideline is very generic. I teach
people how to add/alter code in software binaries and none of the techniques
I teach are mentioned in this control. How does someone practically enforce
this control if there are no actual guidelines or real life cases given as
examples. Has anyone written about a technology implementation guidance to
every control. The password use control for example has some actual
practical guidelines that one can enforce.

Suggestion: Is it a good idea to take every control and specify actual
practical technology ways of enforcing the ISO 17799 controls and thus the
ISO 27001. At the end of day I do not think that we can have a control for
preventing Zero Day Exploits.

Vijay Mukhi
CEO
Counter Espionage Officer

[ reply ]