ISO 27001

ISO 27001 (Information Security Management -- Specification With Guidance for Use) provides more of the detail that's needed, Nelson says. The standard, which is based on an earlier standard, ISO 17799, is designed to help organizations establish and maintain effective information security controls through continual improvements.

Developed in October 2005 by the International Standards Organization, ISO 27001 implements principles of the Organization for Economic Cooperation and Development on governing the security of information and networks. The standard creates a road map for the secure design, implementation, management and maintenance of IT processes in an organization.

"ISO 27001 is a laundry list of controls; it gives more of framework for an effective security program," says Paul Proctor, an analyst at Gartner Inc. in Stamford, Conn. "Cobit and ISO 27001 are the most popular [standards] out there."

ITIL