Alan Calder on IT Governance, information security & ISO 27001

Once upon a time, there was only BS7799 for information security - now there are three parts to it, two of which have become internationalised (ISO27001) and are part of a series which has something like 20 numbers reserved for future use - and we also have the PCI DSS to provide a more prescriptive approach to protecting commercially important card holder data. You would have thought that, with all these standards, business would have become more secure.

Perhaps - but, clearly continuity needs have not been adequately recognized. The first part of BS25999 (already published) was just a code of practice - but the arrival of part 2, the management system specification, will make it possible for organizations to get a BS25999 certificate - to go alongside their ISO27001 and ISO20000 certificates, no doubt.

Or will the proliferation of certificates simply lead to confusion in the minds of stakeholders as well as managers and customers?

It’s been a long summer, and blogging has had to take a back seat to managing the fast growth of our business, IT Governance Ltd. Sales of books and tools through www.itgovernance.co.uk has continued to increase substantially month on month. We’ve expanded our product range, adding a TSO (The Stationery Office) distributorship as well as books from van Haren. As a result of these two agreements, we now have an outstanding collection of ITIL, BS15000 and related titles available through the website. We also now offer, amongst our project governance titles, the new Prince2 books and supporting tools. An inexpensive Pocket Guide to IT Governance, dealing with CobiT principles is the first, we hope, of a number of CobiT titles.

Excitingly, we are also now able to offer electronic versions of the two information security standards and we are in the final stages of negotiations to add several significant information security management products to the site as well.

This all means that we’re having to get additional office space as well as recruiting more back office people to support our websales and marketing activity, as well as to drive forward our publishing business.

We continue to observe information security stupidity and are increasingly fascinated that this form of stupidity seems to become more succesful the larger the company. It seems to turn Darwin on his head, that the least useful approaches are the ones that appear to win out - when business slows down, it’ll be worth thinking about.