According to the ISO 27001 Global Report 2016
published by IT Governance, the leading provider of cyber security and ISO 27001 expertise, most organisations rely on external support to correctly implement ISO 27001 information security management systems (ISMSs).
The ISO 27001 Global Report
2016, which is based on responses from 250 information security professionals from around the world, highlights that implementers struggle with key areas of ISO 27001 implementation. 41% of respondents experience challenges such as interpreting the Standard’s requirements (31%), creating and managing the ISMS documentation (28%), reporting on and maintaining the ISMS (24%), and conducting risk assessments (22%). Additionally, the report emphasises that more than half of organisations “rely on external advice and technical expertise to assist them with the management of their ISMS.”
Alan Calder, the founder and chief executive officer of IT Governance, said: “As the report shows, there is an increased need for upskilling and supporting information security professionals with the qualifications to fulfil the role of ISMS manager. While most organisations aspire to manage information security themselves, the reality of the worldwide cyber security skills shortage and the lack of familiarity with ISO 27001 leads most organisations to draw on expert outside help in order to achieve their short-term business objectives of improving cyber security, reducing cyber risk and improving business performance.”
Furthermore, 54% of the respondents said they use external penetration testing providers, while 51% reported relying on external consultants to assist them with implementing their ISMS. Moreover, almost 40% of the respondents to the survey outsource their e-learning staff awareness programmes, and over 30% use documentation toolkits to meet their ISO 27001 documentation obligations.
Alan Calder continued: “Of course, in the long run, organisations should develop their own skills so they can manage and improve their ISMS – and that’s one of the reasons organisations come to us: they know that our training courses are aligned with our implementation methodology, making it easy for our clients to build on their initial investment in achieving ISO 27001 certification.”
Moreover, the report shows that only 16% of companies employ a dedicated, full-time ISMS manager. The report findings suggest that IT managers (19%) and CISOs (18%) are more frequently responsible for the ISMS.
To download and read the full ISO 27001 Global Report 2016
, please visit the website
, email firstname.lastname@example.org
or call +44 (0)845 070 1750.