- Disable User
- Posts
- International standards, an ISO/ISAE/PCI love story
International standards, an ISO/ISAE/PCI love story
Security like I'm five
Security like I’m five: International standards

Man oh man. "Overpromise, underdeliver" (yeah you read that right) has been my life's motto as long as I can remember.But this time.. this time I really got myself into something.
As you may know by now this series is about explaining security and compliance concepts, but in an "easy" way.I work with international standards like ISO27001 on a daily basis (weird flex), so I thought it'd be easy peasy to explain it in a blogpost.So I started typing, and typing. Re-reading, some more typing. Some more re-reading. You get my point. Some more typing.But BOYYYYYYYYYYYYYYYYY this took me a while.Either way. It's going to be a series. Sit back and enjoy the ride.

In this post series
➡ part 1: WHAT ARE THESE INTERNATIONAL STANDARDS YOU SPEAK OF YOUNG WIZARD?➡ part 2: The big four explained➡ part 3: Which one is for me, and how do I get started?
reading time: 02:15

What are the international standards?
Well, to start of, they're not really international standards.
Sorry to disappoint you like that but it's hard to classify them all under one common denominator.Yet they are commonly talked about in the same breath.Here's a short summary of the most frequently used:
there's ISO: the International Organization for Standardization
there's ISAE: the International Standards for Assurance Engagements
and then there's other highly recommended standards like the PCI DSS: International Standards for Assurance Engagements
By now you probably guessed 2 things:1 they serve their own purpose and audience2 the people who came up with those names are not often invited back to parties.

Part 2 of this series will go into more detail for each of those mentioned above. But first I think it's good to understand WHY they exist, amirite?
STORY TIME
Let's say you want to do business with a certain company. Let's call them BaceFook.BaceFook provides the best software ever, like everrrrrrrr. And all they need in return to make this software work for you, is your data. Pretty solid deal, right?But.. you're a little suspicious. Can you trust BaceFook with your data? How is their security? Do they have information management of some sorts? Who can access your data?

Ok, let's not panik. I'm sure they're great with data. Let's just ask them how they do business?After asking, BaseFook ASSURES you they have state of the art security controls. They have an Information Security Management System in place, access control.They even send you over their information security policy.
We good fam.
But who regulates this ISMS? Who checks if they REALLY do thing as they say they do? Quis custodiet ipsos custodes?*ENTER THE INTERNATIONAL STANDARDS*(I feel the buildup was way longer than my actual point, opinions?)
So yeah. That's basically what they are for, in different varieties. Some dictate rules you must follow, others make you write down your own.The one thing they all have in common is that you get an external audit, making sure you do you what you say you do.You get a nice piece of paper to show off to the world, and this makes you way more reliable to others. WIN WIN.


In the next part we'll go exploring together. You, me, a couple o' brewski's and four of the most common international standards, explained.CAN'T.WAIT.That's it for now, stay safe and when in doubt: don't click the link.
