Are the U.S. Numbers Planning For ISMS (ISO 27001) Certification Really At 80%?

Over the weekend I was reading the latest issue of SC Magazine, and some of the statements within the article “U.S. lags in ISO 27001 compliance” made me go, “Huh?”

The title is certainly true. I wrote about Information Security Management System (ISMS) certification, based upon BS7799, which has now basically been renamed ISO 27001 certification, around a year ago in “ISMS Certification in the U.S.” At that time I spoke with a small but nice representation of U.S. based organizations, and only one, a multinational company with a very limited ISMS scope, was planning on getting ISMS certification. After that I also learned of a very few U.S. consultancies planning for ISMS certification, to make themselves more competitive.
There are still only 50 U.S. based businesses that actually have been ISMS certified.
Yes, this is far behind many other countries; with Japan leading the way with 2,256 ISMS certifications. However, Japanese organizations must follow laws requiring ISMS certification.
So some of the statements made within the article that were attributed to John DiMaria, “a product manager at BSI Management Systems, a consulting company that helps organizations meet international certification standards” caught my eye.
The first statement I question attributed to Di Maria is,

“The U.S. has the most laws for security and privacy but the most security breaches of any country in the world.”

I take issue with this statement. It may seem so in the past three years when reporting breaches has become a requirement of growing numbers of U.S. state breach notice laws. However, as of right now there are no other countries that I’m aware of with active incident and breach reporting laws. However, even without this legal requirement there are still many breaches and incidents reported throughout the world. How would these numbers raise if similar breach laws were active worldwide?
I’d like to see some number to support this statement.
I think a more accurate statement is that the U.S. has more REPORTED breaches than other countries, but there are no statistics to determine how many breachees and incidents that occur worldwide…they just are not tracked.
However, the report states Di Maria “blames this [more breaches in the U.S. than elsewhere] on American companies’ fragmented approach to security.”
Yes, it is very hard to comply with literally hundreds of U.S. federal and state level data protection and privacy laws. However, the conclusion he’s reported as giving does not follow sound reasoning.
Another interesting statement,

“A great majority, perhaps 80 percent, of American companies, have ISO 27001 compliance on their road map,” he adds. Most are looking “three to four years” away, however, for compliance.”

To me the way this sentence is positioned within the entire article, “compliance” implies ISO 27001 certification.
This just does not fit with what information security leaders and practitioners have been telling me. Yes, a great many of them are looking at ISO 17799:2005 (the standards supporting BS7799 ISMS certification, which is now ISO 27001…arrrgghh..all these name/number changes!) to base their information protection controls upon, but not formally through certification. I still have not run across more than the small handful that were planning to pursue ISMS certification a year ago.
Where is this 80% pursuing ISMS/ISO27001 certification coming from? What validation is there for this number?
Are any of you pursuing ISO 27001 certification? Or not? Please take this week’s poll, to the right side of the screen and down a ways, and let me know!
I can’t believe with the large numbers of organizations telling me that they are NOT pursuing ISMS (ISO 27001) certification that this 80% number is even close to being in the ballpark. But, perhaps I’m wrong…as we said in Missouri where I grew up, show me! 🙂

Tags: , , , , , , , , , , ,

Leave a Reply