ISO/IEC 27001: the story so far

ISO/IEC 27001, the information security management systems standard, was first published in October 2005. Two years on, has it proved to be a success? Is it as effective and popular as the quality and environmental standards have been? Pandita Louram investigates whether ISO/IEC 27001 has secured a place for itself in the management system hall of fame.

ISO/IEC 27001 was finally released as an international standard at the end of 2005. Up until 2005, organizations that wished to have their information security management systems standard (ISMS) certified had done so in conformity with BS 7799 part two rather than an international one. ISO/IEC 27001 can be used by a broad range of organizations – small, medium and large – in most commercial and industrial market sectors.

The implementation of ISO/IEC 27001 will reassure customers and suppliers that information security is taken seriously within the organizations they deal with because they have in place state-of-the-art processes to deal with information security threats and issues. Organizations that are certified to this new standard must:

• demonstrate that all activities follow a method - the method is arbitrary but must be well-defined and documented
• specify its own security goals; an auditor will verify whether these requirements are fulfilled
• use the results of risk analysis to establish security measures
• establish a set of security controls – these are suggested in the standard but it is up to the organization to choose which controls to implement based on the specific needs of their business
• implement a process to ensure the continuous verification of all elements of the security system through audits and reviews
• implement a process which must ensure the continuous improvement of all elements of the security system

ISO/IEC 27001 is aligned with both the quality management system (QMS) standard, ISO 9001, and the environmental management system (EMS) standard, ISO 14001. The three standards share system elements and principles such as plan, do, check, act. It is possible and, most argue, beneficial to integrate all three systems.

But how successful has the uptake of ISO/IEC 27001 been? Certification varies from country to country. It has proved, by a long way, most popular with organizations in the Japanese market. Since its release, 1,907 certificates have been issued in Japan. This represents 58 per cent of the global number issued. Japan is followed by the UK with ten per cent (319 certificates), India with eight per cent (269 certificates), Taiwan with four per cent (123 certificates) and Germany with two per cent (74 certificates). Asia, mainly due to Japan’s enthusiasm, is responsible for the highest number of certifications with 2,477, or 75 per cent of the total number issued worldwide. Europe is next in line with 682 certificates or 21 per cent of the total, leaving the rest of the world with just over four per cent.

By February 2007, 3,309 ISO/IEC 27001 certificates had been issued in a total of 68 countries. While it appears that this new standard has a long way to go, it is still early days for ISO/IEC 27001. It is worth bearing in mind also that at the start of 1993, six years after the release of ISO 9000, the world total number of certificates was 27,816 in only 48 countries.

In its first six years, ISO 9000 experienced an annual growth rate of 16 per cent. Based on the assumption that certifications will be issued at a similar rate as they have been since October 2005, the forecasted annual growth rate for ISO/IEC 27001 is set to be higher at 25 per cent. Certificates are also being issued across a wide variety of countries, including those in developing regions such as Moldova and Indonesia.

This positive uptake may be due to a number of reasons, such as the established popularity of QMS and EMS or the increasing dependency of organizations on information, particularly electronic information, and the need to keep that information confidential and secure. Organizations across the world, most notably those in Asia, are also becoming more aware of the benefits that certification offers in the long term.

A survey by information security consultants Gamma is evidence of the need to safeguard information. Gamma surveyed a total of 4,363 organizations between 1998 and 2006. The results showed just how important information confidentiality is to companies regardless of industry or size. Twenty-nine per cent of organizations reported that their customers would sue them if they were adversely affected by poor information security. Twenty-seven per cent said customers would want to audit or check a company’s approach to information security and 48 per cent said customers would, at least, ask them about security. If almost half of an average client base is concerned about information security, it is no wonder that this standard is proving popular so far.

The potential damage caused by a lax attitude to security should not be underestimated. With retail giants such as TK Maxx, the UK outlet of the US retailer TJX, being recently caught out by hackers who stole information from at least 45.7 million customers’ payment cards, the need for a standard has never been greater. According to Gamma, 78 per cent of surveyed organizations expressed concern about the leakage of sensitive information to outsiders and it seems that this concern can and is being addressed by implementing and maintaining the requirements of ISO 27001.

The standards are copyright protected text and must be purchased. For ISO standards including ISO/IEC 27001, contact ANSI at http://webstore.ansi.org. Alternatively you can purchase from ISO directly at www.iso.ch

To find out more about what IRCA has to offer visit www.irca.org/certification/certification_8.html