The Pursuit…or Not…of ISO 27001/ISMS/BS7799 Certification

Last week my blog poll was, “Is your organization planning to pursue ISO 27001 certification in 2007 or 2008?”
I asked this after reading an SC Magazine article that I recently blogged about, “Are the U.S. Numbers Planning For ISMS (ISO 27001) Certification Really At 80%?”
As I had indicated, based upon my many discussions with a very wide range of CISOs, I thought this number was way too high.
And now for the results of my *ADMITTEDLY UNSCIENTIFIC WEBPOLL*…drum roll, please; Thhuudddrrrrrrrrrrrrr…

7% – Yes; my organization is based outside the U.S.
13% – Yes; my organization is based in the U.S.
0% – No; my organization is based outside the U.S.
27% – No; my organization is based in the U.S.
7% – Maybe, it is still being discussed; my organization is based outside the U.S.
13% – Maybe, it is still being discussed; my organization is based in the U.S.
33% – Huh? What the heck is ISO 27001 certification? I don’t know if we’re doing this or not.
This represents what I think is probably pretty close to what is realistic, even given the unscientific nature of the poll.
Most of the information security officers with U.S.-based offices that I’ve spoken with have indicated their first concern is getting into compliance with their dozens…and in many cases hundreds…of data protection and privacy laws, regulations and contractual requirements. They have told me that while they recognize ISMS certification covers most of the requirements, that there are some significant gaps that are very important for them to address.
They also often see the time investment (ISMS certification can take a very long time… anywhere from 6 months up to 2 years or even more depending upon the scope of the certification) as being too significant.
Establishing the ISMS certification scope is also an issue that they have said they see problems dealing with in addition to their more pressing compliance requirements.
So, 20% indicate they are pursuing ISMS certification, with 13% being based in the U.S., and 20% are considering ISMS certification, with 13% in the U.S.
Even if the maybe’s turn to yes’s, this would still be just 26% of those based in the U.S. going for certification; far below the 80% projected.
I believe many, and possibly most, of the U.S based organizations *ARE* using ISO 17799:2005 to help determine their security controls, but that the actual numbers who will actively pursue ISMS certification will still be low throughout the near future…2 to 4 years or so.
ISO 17799:2005…transitioning soon to ISO 27002…is a *GREAT* set of potential information security controls for organizations to consider. If you are responsible for information security or privacy consider using them as a good set of starting points to address the risks you’ve identified for your organization. Be sure to also use the OECD privacy principles to ensure the issues related to personally identifiable information (PII) are addressed.

Tags: , , , , , , , , , , ,

Leave a Reply