UK firms embrace ISO 27001 security standard

Bob Tarzey: ISO 27001 is an easy thing to commit to, but a hard thing to complete

Security vendors have been quick to suggest that UK organisations are jeopardising IT security and compliance by not implementing effective data loss prevention policies.

But statistics show that the UK is actually way ahead of its US and European rivals in achieving ISO 27001 certification.

The ISO 27001 family of standards provides an internationally recognised model for the implementation of effective information security management system (ISMS) within an organisation.

It is widely touted as a data security framework against which companies can check the trustworthiness of suppliers, business partners, customers and vendors when exchanging sensitive information.

According to the international register of ISMS certificates, 444 UK companies have achieved ISO 27001 certification so far, lagging only behind Japan and India, and way ahead of Germany (137) and the US (96).

The number of companies to have achieved certification globally is 6,443, though Japan has a staggering 3,499 of that total.

Yet despite the strong indication that UK organisations are by far the most proactive supporters of ISO 27001 certification in the western hemisphere, various surveys insist that UK companies are struggling to implement compliance policies in support of the standard.

Research based on 270 interviews with senior IT staff published in April this year, conducted by Quocirca and commissioned by CA, concluded that UK IT departments were struggling to deal with ISO 27001 compliance issues, for example.

So why the discrepancy and what, if anything, appears to make UK companies recognise the value of ISO 27001 certification more than so many organisations in other countries? Are security software and service vendors overstating the case in a bid to keep their own sales people busy and their revenue stream healthy?

Stuart Bonell is associate consultant at consultancy BroadGroup, which recently published a report into the data security issues affecting datacentre providers, which found that ISO 27001 certifications represented the most popular approach to security management in this sector. He thinks that ISMS register numbers sound low, and suspects there are more companies with ISO 27001 certification than are on the register.

“It did start out as a British standard, which could be one reason why it is more popular here, while the US equivalent is the statement on auditing standards (SAS) 70 type II standard – lots of datacentre companies have them both now,” Bonell says.

And Quocirca analyst Bob Tarzey says that there is big difference between committing to ISO certification and actually achieving the necessary controls.

“ISO 27001 is an easy thing to commit to, but a hard thing to complete. Lots of the controls are optional, and it is just not enough to guarantee information security management just by saying you have adopted it,” he says.

“You have to look at exactly what the organisation has achieved in attaining that certification – it could be two firms who have committed to it, but one is much further down the road than the other.”

The ISO does not carry out certification checks itself, but approves third party consultancy firms to carry out appropriate checks before certification is awarded.

Andrew Kellet, senior analyst at research company Ovum, says software vendors will always argue that compliance for standards like ISO 27001 or PCI-DSS needs to be higher.

“There is always a case of vendors pushing the limit saying ‘This is a requirement, this is what you should be doing, you need this’, and takeup is never going to be enough from their perspective. At the end of the day, it is a selling tool,” he says.

That’s not to say there isn’t a strong argument for ISO 27001 accreditation among some, but not all, UK organisations.

Accountancy and audit company PricewaterhouseCoopers recently estimated that 40 per cent of large organisations are being asked to demonstrate compliance with the standard.

“ISO 27001 is pretty much now accepted as a worldwide base level standard for security outside of government,” says Bonell.

“The Financial Services Authority (FSA) references it as do other regulatory bodies, and if you have done ISO 27001 you are well on the way to achieving other standards for specific regulations.”

Nathan Jamieson is information security officer at the GB Group, a UK company that specialises in identity management, not just to combat ID fraud, money laundering and under-age gambling, but also to aid identity based marketing and CRM strategies. Its customers include the Co-operative Bank, mobile operator O2, fashion retailer Laura Ashley and utility company Severn Trent water.

“ISO 27001 provides a commonality of language that is beneficial to us, and the framework is publicly available. We need to provide an element of trust for our clients, and considered ISO 27001 as the de facto standard,” he says.

“It is an effective barometer of where you are, and has certainly opened doors in government departments and financial organisations that would otherwise have been closed to us.”

Prior to achieving ISO 27001 certification earlier this month, GB Group had been undergoing 50-70 information security audits a year, including those from data suppliers and prospective and existing customers.

“The natural step was for us to provide independent assurance that is always only six months old [ISO 27001 certification can be assessed once or twice a year, followed by a full audit every three years],” says Jamieson.