Alan Calder on IT Governance, information security & ISO 27001

ISO 27001 is not only about safeguarding corporate information assets – it is also a godsend for organisations struggling to deal with regulatory compliance demands.

SOX, HIPAA, Gramm-Leach-Bliley, SB 1386, OPPA and others generate a welter of often overlapping requirements, which can quickly create a huge drain on management resources. However, ISO 27001 provides a highly effective way of cutting through this burden, resulting in very real efficiencies, as this case study shows:

“My audit preparation time dropped from about 2 months to under two days for the Federal Financial Institutions Examination Council (FFIEC) audit (done by the people who were concerned about SOX controls.)”

“My time spent with the auditors was reduced by 50% over a three week time span.”

Show that to people who question whether getting certified creates an ROI.

As this post by Michael Farnham at Computerworld highlights, many more companies are likely to be attacked in 2007 and too few are implementing robust procedures to counter this. As he says:

“It comes down to whether or not companies view the problem as enough of a risk to spend the capital. And many companies are still making the wrong decision.”

This is the beauty and purpose of information security toolkits, like our ISO 27001 Toolkit. Companies don’t have to spend a fortune on outside consultants or on every new security product that hits the market. If they implement their own ISMS in-house they can keep the cost of the process under control and only purchase the products that are right for them and for which they have a clearly demonstrable need.

The British Standards Institute has found a significant improvement in companies’ business continuity planning in the past 12 months. However, of the 100 FTSE-250 firms interviewed, “Only 45% … had comprehensive plans in place for a supply chain failure, and 21% of companies said they required all suppliers to have business continuity plans in place.”

Nobody should kid themselves that this can remain the case: any company is potentially vulnerable to a continuity failure if a supplier lets them down. For that reason, expect to see suppliers increasingly called upon to prove that they have measures in place to ensure their dependability. This will be one of the main drivers for the growth of ISO 27001 certification in the next five years. Companies that have it will prosper; companies that don’t will get left behind.

A lack of trust is hampering take-up of online government services, according to a recent BCS Thought Leadership Debate. Of course it is – why would anyone entrust their most personal data and important transactions to IT systems without an assurance that they will remain secure? The Cabinet Office has done much to champion the cause of BS 7799/ISO 27001 as vital for the success of online public services, but far too few public sector organisations have become certified: a clear case of taking a horse to water. Public sector executives have to realise that until they provide ISO 27001 as a ‘badge of trust’ to their customers, departments and agencies will fail to deliver on the promise of eGovernment.