Re:Speaking from experience... (Score 2, Interesting)

We are just getting started on the same process. Not only do we have to overcome years of architectural shortcuts, but we have to try to decipher the somewhat vague meaning of network scope. In theory any connected network becomes in scope, so any links to your data center, whether they have access to the data or not, could extend your scope back to your office... which would then need to be as secure.

The standards themselves are a collection of best practices that all make sense individually, but it seems like a protection racket where only the certified consultants can pronounce you pure.

I'd be interested in hearing about any experiences that others have been through for the level 1 certification.