CIO CONNECT
SPRING 2006
WHY IT’S TIME TO GET A BADGE ON THE WALL
ISO 27001 COMPLIANCE MAY BE A CHORE BUT THERE ARE BUSINESS BENEFITS, WRITES ALAN CALDER
CIOs who claim their organisations comply with ISO 27001, but don’t want the trouble of getting the “badge on the wall”, are deceiving themselves.
I suspect the reality is that firms which won’t submit their information security management systems (ISMS) to external audit against ISO 27001 – the infrastructure and data security standard which supersedes BS 7799 – fear their systems would fail.
Surveys tell a depressingly familiar story. Most recently, the tenth annual Computer Security Institute/FBI survey (published in January) revealed that, among CSI members, computer crime continues to have a significant financial impact. The average incident last year cost $204,000. The top two security breaches were through virus attacks and unauthorised access – both of which are controlled by ISO 27001-complaint systems.
I’m prepared to bet that few, if any, CSI members who were victims either hold a current BS7799-2:2002 certificate or are planning to pursue ISO 27001 certification.
Yet evidence suggests that securing information is rarely the primary driver for certification. The top reason, a recent survey suggests, is commercial advantage. A certificate “gives customers confidence that our data security is well managed and certified by an independent source,” one survey respondent noted.
It’s that certification “by an independent source” which is the real benefit of ISO 27001. US regulators implicitly recognised the importance of external validation when they observed: “The best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.”
There are sectors in which the “badge on the wall” debate is already history. UK cheque printers, for example, must comply with a sectoral version of BS7799-2. Suppliers to the NHS are expected to be on track for certification – even if the NHS itself still has some way to go. Business process outsourcing providers find it much simpler to provide a copy of their BS7799-2 certificate in their tender documentation than to answer detailed information security questionnaires.
Some of this might be expected: BS7799 is, after all, a British Standard. The Cabinet Office has, for several years, encouraged take-up in the UK public sector. As more public authorities become certified, so pressure for their private sector suppliers to achieve the standard increases. Today’s early adopters are stealing a march on their competitors.
ISO 27001 can also be a short cut to best-practice compliance with a wide range of data compliance and regulatory requirements. Determined outsourced suppliers insist that their certification is taken into account when preparing for and costing their annual SAS 70 audit – which cuts cost and disruption.
Are organisations beginning to recognise that, in fact, it is the badge on the wall that counts? The growing number of badges suggests so. It took about seven years for the first 1,000 certificates to be achieved, but only one more year (to December 2005) for the second 1,000 awards.
And certification has a ripple effect. Every organisation that achieves ISO 27001 expects its key suppliers to meet the standard. This means that anyone who thinks the badge doesn’t count will have nowhere to hide when the CEO wants to know why your competitors have stolen your lunch.
✱ Alan Calder is director of IT Governance Limited