[ISM3 Users] Tuesday Insight - Control vs Processes + Comparison
Vicente Aceituno
vac at zenobia.es
Mon Sep 17 20:04:35 CEST 2007
Dear All,
When I compare controls and processes, saying that a control has not
defined output, but a process has, I am very often critized.
A control can say something like "all windows system will be free of
malware". You can audit that looking for malware in systems.
When you are not auditing, How do you improve your malware protection
control? The positive deliverable from malware protection is not
defined, so you don't know if the process is getting better or
worse...
With process you can say "windows systems will have malware protection
software installed". Outputs could be: Cleaned viruses, Detected
viruses. Metrics will be: % of systems protected this month, number of
cleaned viruses per system per month, % systems with latest updates.
With metrics you know how the process performs without the need to
audit it. And you can improve it continously.
I don't say you can't implement a control using a process, I say a
control doesn't help you to do it. So utility of controls is limited.
More opinions on this comparison between control and process?
Now for something very similar. A full comparison between ISO27001 and
ISM3 will be available for around 24h from the All Files section. I
hope you find it informative.
http://www.ism3.com/index.php?option=com_docman&task=cat_view&gid=1&Itemid=9
My best
Vicente
More information about the Users
mailing list