Ed Gibson’s comment on my recent posting on processes hit the nail the head. One size doesn’t always fit all. In this particular case the debate was about the upside and downside of processes, and the consequences of attempting to liberate workers from the shackles of their processes. But the importance of tailoring solutions to the organisation is a key one for practitioners to grasp.
All organisations are different. They have different cultures, different governance systems and different ways of reaching decisions (or not in the case of some that I’ve worked for). You cannot simply transfer a security blueprint from one to another. I’ve built security management systems from scratch for three different organisations, and they were all quite different. One lasted for more than a decade. Another required constant adaptation to reflect major changes in the organisation’s strategy and organisation.
But organisations share common requirements, many of which do not vary over time. That was the key to the success of ISO 17799. When we drafted the original BSI Code of Practice, the DTI assembled a team of practitioners from seven different industries. We expected some differences between sectors and were pleasantly surprised to find that we could craft a standard that could work in all organisations. So yes, one size does not always fit all. But in some cases it can.