IT Compliance Leaders Rely on ISO 17799
Across 406 organizations taking part in recent benchmarks, the primary framework employed by industry leaders - the organizations with the fewest IT compliance deficiencies and the lowest financial harm from IT security events - is ISO 17799 (Figure 1).

Figure 1: Policy Framework Usage
 

Multiple Policy Frameworks: Better Compliance Results
Not content to rely only on ISO 17799, the industry leaders are also employing, on average, three frameworks as part of their IT policy compliance efforts. This compares with slightly more than two for organizations operating at the norm and slightly less than two for industry laggards (Figure 2).

Figure 2: Number of Frameworks Employed
 

Leveraging IT Policy Frameworks for IT Compliance
Interviews conducted with participants reveals multiple IT compliance frameworks are serving a range of purposes, including:

- Employing one as the primary reference standard for the organization
- Keeping senior management and the audit committee informed
- Calibrating best practices for IT and IT security in the organization
- Supplementing existing IT policies and practices
- Diagnosing existing practices, procedures and policies
- As the lingua-franca between internal audit, IT and external auditors

Guidance Recommendations:

Guidance for all organizations, based on fact-based benchmarks, include:

• ISO 17799 is the dominant framework employed by industry leaders
• More is better: use three or more IT policy compliance frameworks
• Employ IT policy compliance frameworks specific to your industry

© IT Policy Compliance Group, 2006