Once upon a time, there was only BS7799 for information security – now there are three parts to it, two of which have become internationalised (ISO27001) and are part of a series which has something like 20 numbers reserved for future use – and we also have the PCI DSS to provide a more prescriptive approach to protecting commercially important card holder data. You would have thought that, with all these standards, business would have become more secure.
Perhaps – but, clearly continuity needs have not been adequately recognized. The first part of BS25999 (already published) was just a code of practice – but the arrival of part 2, the management system specification, will make it possible for organizations to get a BS25999 certificate – to go alongside their ISO27001 and ISO20000 certificates, no doubt.
Or will the proliferation of certificates simply lead to confusion in the minds of stakeholders as well as managers and customers?
