Alan Calder on IT Governance, information security & ISO 27001

As this post by Michael Farnham at Computerworld highlights, many more companies are likely to be attacked in 2007 and too few are implementing robust procedures to counter this. As he says:

“It comes down to whether or not companies view the problem as enough of a risk to spend the capital. And many companies are still making the wrong decision.”

This is the beauty and purpose of information security toolkits, like our ISO 27001 Toolkit. Companies don’t have to spend a fortune on outside consultants or on every new security product that hits the market. If they implement their own ISMS in-house they can keep the cost of the process under control and only purchase the products that are right for them and for which they have a clearly demonstrable need.

Confirmation from PriceWaterhouseCoopers that small and medium-sized firms are underinvesting in IT security and suffering for it. PWC calls the difference in preparedness between large and smaller companies ‘a tale of two cities’, which seems pretty apt. As they say, too many SMBs are unaware of ISO 27001 and other measures that would provide vital help.

It’s all very well Alun Michael MP observing that low awareness is a problem, but what will the Government do to help change this? Not a lot, I fear, with it firefighting issues like NHS budgets, prison scandals, ministerial affairs and ‘cash for coronets’ – critical issues like ISMS just won’t receive the backing they need.

Instead, it will be up to the business community to resolve the issue itself, hence our work to produce books like A Business Guide to Information Security and our ISO 27001 Toolkit, both of which were created with SMBs very much in mind.

I’ve said often that ISO 27001 will experience the same level as take up as ISO 9001 did, and now it appears that others are coming to the same view. In an article announcing that the Federal Reserve Bank of New York is the first US institution to achieve the standard, Victor Garza asks whether ISO 27001 will be the new ISO 9001.

It will.

Sales of The Case for ISO 27001, Nine Steps to Success and of our ISO 27001 Toolkit have been growing so fast that we can already see how important this standard is becoming. We’ll soon be in “What? You’re not ISO 27001-certified?” territory.

ISO 27001 finally made its debut last week – in fact, a bit earlier than many were expecting. However, I’m pleased to say that we were ready to go with our new books and toolkit, which were all launched straightaway. ‘The Case for ISO 27001‘ is an eBook we have written for non-technical directors and managers to help explain why information security is a C-Suite responsibility, and how the new standard meets the needs of corporate IT infrastructure, information risk and regulatory compliance. ‘Nine Steps to Success – an ISO 27001 Implementation Overview’ eBook is a practical guide for IT security project managers – it provides a rigorous approach to enable compliance and certification to be achieved efficiently. To help the whole process happen, we’ve also launched an ‘ISO 27001 Toolkit’ (based on our popular BS 7799 Toolkit), which is a comprehensive ‘do-it-yourself’ programme for achieving ISO 27001 compliance without calling in expensive consultants. If you’re interested, you can check them out and buy online at www.itgovernance.co.uk/bs7799.aspx.