Let me take a stab at answering your question using a real life example...
I liken the TCG to our current day ISO:
ISO 9000
From Wikipedia, the free encyclopedia
ISO 9000 is a family of standards for quality management systems. ISO 9000 is maintained by ISO, the International Organization for Standardization and is administered by accreditation and certification bodies. Some of the requirements in ISO 9001 (which is one of the standards in the ISO 9000 family) would include:
a set of procedures that cover all key processes in the business;
monitoring processes to ensure they are effective;
keeping adequate records;
checking output for defects, with appropriate corrective action where necessary;
regularly reviewing individual processes and the quality system itself for effectiveness; and
facilitating continual improvement
A company or organization that has been independently audited and certified to be in conformance with ISO 9001 may publicly state that it is "ISO 9001 certified" or "ISO 9001 registered." Certification to an ISO 9000 standard does not guarantee the compliance (and therefore the quality) of end products and services; rather, it certifies that consistent business processes are being applied.
Although the standards originated in manufacturing, they are now employed across a wide range of other types of organizations. A "product", in ISO vocabulary, can mean a physical object, or services, or software. In fact, according to ISO in 2004, "service sectors now account by far for the highest number of ISO 9001:2000 certificates - about 31% of the total" - source: [1]
Advantages
It is widely acknowledged that proper quality management improves business, often having a positive effect on investment, market share, sales growth, sales margins, competitive advantage, and avoidance of litigation.[4][5] The quality principles in ISO 9000:2000 are also sound, according to Wade,[6] and Barnes, [5] who says "ISO 9000 guidelines provide a comprehensive model for quality management systems that can make any company competitive." Barnes also cites a survey by Lloyd's Register Quality Assurance that indicated ISO 9000 increased net profit, and another by Deloitte-Touche that reported that the costs of registration were recovered in three years. According to the Providence Business News [7], implementing ISO often gives the following advantages:
Create a more efficient, effective operation
Increase customer satisfaction and retention
Reduce audits
Enhance marketing
Improve employee motivation, awareness, and morale
Promote international trade
However, a broad statistical study of 800 Spanish companies [8] found that ISO registration in itself creates little improvement because companies interested in ISO have usually already made some type of commitment to quality and were performing just as well before registration.[4]
In today's service sector driven economy, more and more companies are using ISO 9000 as a business tool. Through the use of properly stated quality objectives, customer satisfaction surveys and a well-defined continual improvement program companies are using ISO 9000 processes to increase their efficiency and profitability.
So, anybody who has business to business experience knows just how important it's for a company to be "ISO Certified". In fact, one would typically see large banners posted on the outside and inside of a company that was ISO certified. I'm sure there are other more expert individuals who post here who can better break down the reasons why companies desire to be ISO certified but I believe legal liability has to be in the top two or three reasons.
Auditing plays a critical role in determining certification. Auditing determines whether a company would be liable or not.
Auditing (ISO)
Two types of auditing are required to become registered to the standard: auditing by an external certification body (external audit) and audits by internal staff trained for this process (internal audits). The aim is a continual process of review and assessment, to verify that the system is working as it's supposed to, find out where it can improve and to correct or prevent problems identified. It is considered healthier for internal auditors to audit outside their usual management line, so as to bring a degree of independence to their judgments.
Under the 1994 standard, the auditing process could be adequately addressed by performing "compliance auditing":
Tell me what you do (describe the business process)
Show me where it says that (reference the procedure manuals)
Prove that that is what happened (exhibit evidence in documented records)
How this led to preventive actions was not clear.
The 2000 standard uses the process approach. While auditors perform similar functions, they are expected to go beyond mere auditing for rote "compliance" by focusing on risk, status and importance. This means they are expected to make more judgements on what is effective, rather than merely adhering to what is formally prescribed. The difference from the previous standard can be explained thus:
Under the 1994 version, the question was broadly "Are you doing what the manual says you should be doing?", whereas under the 2000 version, the question is more "Will this process help you achieve your stated objectives? Is it a good process or is there a way to do it better?".
The ISO 19011 standard for auditing applies to ISO 9001 besides other management systems like EMS ( ISO 14001), FSMS (ISO 22000) etc .
We can all agree the liability associated with a lost HD is tremendous and is becoming more significant each day as it relates to public humility and financial liability. Therein lies the market for FDE and I believe ERAS will provide a critical component (auditing) to lessening liability. So much so that the TCG is integrating the auditing functions for FDE into their standards. And this might be a stretch... What if it becomes an ISO standard as well?
Let's also not forget that the TCG is requiring: "Any device that implements the TCG Storage Specification will be supported by the work of the Subgroup." See post #153596 I just dont see another competitive server product which will be able to support the standard? Not in the near future at least.
Jeff
