When organisations allow outsourcers or other third parties - whether local or offshore - to handle customers' information, they will increasingly demand evidence that this data is protected while offsite. And this requirement is growing as details of high-profile security breaches keep hitting the headlines. One way to ensure good practices for security is to use service providers certified to the BS7799 British security standard - or its international equivalent ISO 17799 - designed to help firms manage and minimise security risks.

Although compliance with the standard is no guarantee of security, it is a sign that a firm takes risk management seriously.

Uptake of the standard has grown massively during its 10-year history, especially in the past few years. In 2002, fewer than 200 organisations worldwide had achieved BS7799 certification, according to the Information Security Management Systems (ISMS) International User Group. Today this number has risen to 1,870.

The results of Ernst & Young's Global Information Security Survey, released last week, also show interest in BS7799 is increasing. Among the 1,300 global organisations surveyed, a quarter had adopted the security standard, while a further 30 percent are planning to do so.

Antony Smyth, information security partner at Ernst & Young, said some firms believe that achieving certification would be too complicated, so many are following its guidelines without getting formally certified. "We're all better off if we have recognisable public-domain standards to work to," he added. According to the ISMS group, Japan has by far the most certificates for one country, at 1,080. In second place is the UK with 215.

One of the countries with the fastest-growing uptake is India, in third place with 131 certified firms - up from 28 last April. LogicaCMG, which last month announced that its facilities in Bangalore had achieved BS7799 certification, said it is evidence of good business practice and proof the firm has implemented good security schemes.

"Most of our clients are European, so we need to show we're operating in line with best UK and European security practice," said Dave Martin, managing consultant at the firm. "We're also handling personal information for clients in the financial sector, so they want to make sure we're operating legally under FSA rules, and under the UK's Data Protection Act."

Uptake of the standard could become more important for offshore firms in future. Martin noted predictions that offshore facilities without proof of good security systems are likely to lose business and close within the next five years. Martin added that cultural differences are also a challenge. "People in India want to be helpful. So if you turn up without a security badge the guard will still let you in - this needs to be changed," he said.