| Managers who claim that their organizations | | | | business requirement. UK cheque printers, for |
| comply with ISO/IEC 27001:2005 but that they | | | | instance, are required to comply with a |
| see no need to go through the bureaucracy of | | | | sectoral version of ISO27001 and suppliers to |
| getting the 'badge on the wall' are only | | | | the NHS are expected to be on track for |
| deceiving themselves. The reality, I suspect, | | | | certification (there is now a health sector |
| is that the vast majority of organizations | | | | version of ISO17799) - even if the NHS itself |
| that won't submit their Information Security | | | | still has some way to go. Business Process |
| Management Systems (ISMS) to an external | | | | Outsourcing companies are finding it much |
| audit against "> ISO 27001 fear that, when it | | | | simpler to provide a copy of their ISO 27001 |
| comes to the push, their systems would fail | | | | certificate in their tender documentation |
| the test. | | | | than to answer detailed information security |
| | | | questionnaires. Some of this might be |
| Survey after survey tells a depressingly | | | | expected: BS7799 was, after all, a British |
| familiar information insecurity story. Most | | | | Standard, and the UK government's Cabinet |
| recently, the 10th annual CSI/FBI survey | | | | Office has, for several years now, driven |
| revealed that, amongst the | | | | take-up across the UK public sector. And as |
| security-conscious, information security | | | | more and more local authorities and |
| control-focused members of the CSI, computer | | | | public-sector organizations become certified, |
| crime continued to have a significant | | | | so the pressure for their private-sector |
| financial impact. The average incident last | | | | suppliers to achieve the standard will |
| year cost $204,000, and the top two security | | | | increase - and today's early adopters are |
| breaches were through virus attacks and | | | | clearly stealing a march on their |
| unauthorized access - both of which are | | | | competitors. |
| comprehensively controlled through the | | | | |
| controls and management systems mandated by | | | | Achieve Your Certificate in ISO 27001 |
| ISO 27001. | | | | |
| | | | Internationalised as "> ISO 27001, |
| ISO27001 Effectively Manages Data Security | | | | information security certification can also |
| | | | be a short cut to best-practice compliance |
| This evidence, combined with the findings of | | | | with a wide range of data compliance and |
| a recent survey carried out amongst UK-based | | | | regulatory requirements, ranging from Data |
| organizations that ISO27001, suggests - | | | | Protection Acts across the EU, privacy and |
| somewhat contradictorily - that securing | | | | breach legislation across the OECD, and |
| information is rarely the primary driver for | | | | specific legislation such as GLBA, HIPAA and |
| achieving certification. The top reason was | | | | Sarbanes Oxley. Determined outsourced |
| commercial advantage, summed up by one | | | | suppliers are increasingly insisting that |
| respondent who said that a certificate 'gives | | | | their certificate be taken into account when |
| customers confidence that our data security | | | | preparing for and costing their annual SAS 70 |
| is well managed and certified by an | | | | audit, with consequently substantial |
| independent source.' | | | | reductions in both the cost of, and |
| | | | disruption caused by, the audit. |
| And it's that certification 'by an | | | | |
| independent source' which is the real benefit | | | | Are organizations beginning to recognize |
| of pursuing ISO 27001 in the first place. US | | | | that, in fact, it is the badge on the wall |
| regulators implicitly recognized the | | | | that counts? Yes, as evidenced by the |
| importance of external validation for | | | | increasing number of badges. It took about |
| information security effectiveness when they | | | | seven years (to December 1994) for the first |
| observed that: 'the best way to strengthen US | | | | 1,000 certificates to be achieved, but less |
| information security is to treat it as a | | | | than two and half years later there are more |
| corporate governance issue that requires the | | | | than 3,500 successes. And certification has a |
| attention of boards and CEOs.' | | | | ripple effect: every organization that |
| | | | achieves ISO 27001 will expect its key |
| Achieve High Security Standards through ISO | | | | suppliers to meet the standard. And this |
| 27001 | | | | means that anyone who thinks the badge |
| | | | doesn't count will have nowhere to hide when |
| There are sectors in which the 'badge on the | | | | the CEO comes asking why your competitors |
| wall' debate is already history, and in which | | | | have stolen your lunch. |
| certification is now becoming a basic | | | | |