Alan Calder on IT Governance, information security & ISO 27001

ISO 27001 finally made its debut last week – in fact, a bit earlier than many were expecting. However, I’m pleased to say that we were ready to go with our new books and toolkit, which were all launched straightaway. ‘The Case for ISO 27001‘ is an eBook we have written for non-technical directors and managers to help explain why information security is a C-Suite responsibility, and how the new standard meets the needs of corporate IT infrastructure, information risk and regulatory compliance. ‘Nine Steps to Success – an ISO 27001 Implementation Overview’ eBook is a practical guide for IT security project managers – it provides a rigorous approach to enable compliance and certification to be achieved efficiently. To help the whole process happen, we’ve also launched an ‘ISO 27001 Toolkit’ (based on our popular BS 7799 Toolkit), which is a comprehensive ‘do-it-yourself’ programme for achieving ISO 27001 compliance without calling in expensive consultants. If you’re interested, you can check them out and buy online at www.itgovernance.co.uk/bs7799.aspx.

There’s an interesting post on the PMThink! blog about how little IT investment actually brings value to the business. This is information to which all non-executive directors should pay close attention. If, on average, IT expenditure is about 30% of total expenses, and if at most 8% of it brings value, then the need for a board IT governance committee that insists on firm and clear oversight of all IT initiatives becomes critical. Directors are responsible for corporate performance, and they’re also responsible for ensuring value for money. These figures suggest that most boards are much more exposed to the ire of shareholders than they might suspect.

Another post on PMThink! makes a good point about who should sit on the company’s IT Governance committee. The challenge for the majority of boards is that they struggle to find non-executive directors who are adequately knowledgeable on IT to perform this function. This should not be reason not to set up the IT committee; what it does mean is that the IT committee may need to take external advice, on an ongoing basis, on the adequacy and effectiveness of its IT operations. Inevitably, this means further expense, but more important will be the requirement for members of the committee to use that advice constructively and sensibly.

Recent research from Burson-Marsteller makes it clear that, in the developed world, still only a tiny minority of companies (less than 10%) have their CIO on the board while, in the developing world, companies are about ten times more likely to have done this.

That sounds like ‘sayonara’ to companies in the developed world – if we can’t get our heads around the simple notion that we have to harness IT (the letters, remember, stand for ‘information technology’) to help us compete in the information economy, then we’d better start learning some foreign languages and get our homes on the market while they still have some value in them…

Symantec do say, in their recently released Threat Report, that the Mozilla family of browsers had a higher number of vulnerabilities, in the first six months of 2005, than Internet Explorer – andthat a higher percentage of these were high-severity. So much for Mozilla and its supposedly ‘safe’ browsers.

What is clear is that there is more hype and spin around open source than many would like to admit. What isn’t clear is the extent to which it’s motivated by the software community’s jealousy of Bill Gates. I wonder if Mozilla’s failure is a leading indicator for the failure of the wider open source movement as well? If it is, there are significant governance and security implications for all organizations that have deployed open source software – as well, obviously, for anyone who has a financial stake in an open source-dependent operation of any sort.