IT Security News

UK Firms Embrace ISO 27001 Security Standard

Security vendors have been quick to suggest that UK organisations are jeopardising IT security and compliance by not implementing effective data loss prevention policies.

But statistics show that the UK is actually way ahead of its US and European rivals in achieving ISO 27001 certification.

The ISO 27001 family of standards provides an internationally recognised model for the implementation of effective information security management system (ISMS) within an organisation.

It is widely touted as a data security framework against which companies can check the trustworthiness of suppliers, business partners, customers and vendors when exchanging sensitive information.

According to the international register of ISMS certificates, 444 UK companies have achieved ISO 27001 certification so far, lagging only behind Japan and India, and way ahead of Germany (137) and the US (96).

The number of companies to have achieved certification globally is 6,443, though Japan has a staggering 3,499 of that total.

Yet despite the strong indication that UK organisations are by far the most proactive supporters of ISO 27001 certification in the western hemisphere, various surveys insist that UK companies are struggling to implement compliance policies in support of the standard.

Research based on 270 interviews with senior IT staff published in April this year, conducted by Quocirca and commissioned by CA, concluded that UK IT departments were struggling to deal with ISO 27001 compliance issues, for example.

So why the discrepancy and what, if anything, appears to make UK companies recognise the value of ISO 27001 certification more than so many organisations in other countries? Are security software and service vendors overstating the case in a bid to keep their own sales people busy and their revenue stream healthy?

A recently published report into the data security issues affecting datacentre providers, found that ISO 27001 certifications represented the most popular approach to security management in this sector.

Quocirca analyst Bob Tarzey says that there is big difference between committing to ISO certification and actually achieving the necessary controls.

ISO 27001 is an easy thing to commit to, but a hard thing to complete. Lots of the controls are optional, and it is just not enough to guarantee information security management just by saying you have adopted it, he says.

You have to look at exactly what the organisation has achieved in attaining that certification it could be two firms who have committed to it, but one is much further down the road than the other.

The ISO does not carry out certification checks itself, but approves third party consultancy firms to carry out appropriate checks before certification is awarded.

Accountancy and audit company PricewaterhouseCoopers recently estimated that 40 per cent of large organisations are being asked to demonstrate compliance with the standard.

ISO 27001 is pretty much now accepted as a worldwide base level standard for security outside of government, says Bonell.

The Financial Services Authority (FSA) references it as do other regulatory bodies, and if you have done ISO 27001 you are well on the way to achieving other standards for specific regulations.

Nathan Jamieson is information security officer at the GB Group, a UK company that specialises in identity management, not just to combat ID fraud, money laundering and under-age gambling, but also to aid identity based marketing and CRM strategies. Its customers include the Co-operative Bank, mobile operator O2, fashion retailer Laura Ashley and utility company Severn Trent water.

ISO 27001 provides a commonality of language that is beneficial to us, and the framework is publicly available. We need to provide an element of trust for our clients, and considered ISO 27001 as the de facto standard, he says.

It is an effective barometer of where you are, and has certainly opened doors in government departments and financial organisations that would otherwise have been closed to us.

Prior to achieving ISO 27001 certification earlier this month, GB Group had been undergoing 50-70 information security audits a year, including those from data suppliers and prospective and existing customers.

The natural step was for us to provide independent assurance that is always only six months old [ISO 27001 certification can be assessed once or twice a year, followed by a full audit every three years], says Jamieson

One factor widely accepted to be holding organisations back from adopting the ISO 27001 framework is the cost and complexity of implementing it.

This varies hugely depending on where the company starts from, and the volume and range of individual security management processes that need to be certified anything from a few thousand to hundreds of thousands of pounds.

The standard itself can be purchased for 130 Swiss francs at the ISO web site, while the final certification usually costs as much as the external consultancy man hours needed to check appropriate security management procedures are in place, plus a small registration fee.

There are two aspects to it: getting yourself ready, then the certification itself. If an organisation is starting from scratch and needs to implement all the security procedures and the stuff around it, I can easily see a figure of 100,000 plus, says Bonell.

But that does not mean they cannot do some of that themselves there is a lot of self-help material out there, and the accreditation itself might only take a few days of consultant fees.

There will be some costs around management systems and filling in any gaps in their security infrastructure with required software tools, says Tarzey.

While many organisations may still not see where committing time, money and resources to ISO 27001 certification delivers sufficient value, Kellet warns them to be certain they can do without it, as failure to comply could cost them dearly in fines and reputation.

I would advise every organisation to have a properly thought through security strategy at least, with appropriate controls and understanding of the risk involved for not having those controls in place, he says. (

Computer Security Solutions provides ISO27001 Lead Auditors who are able to provide customers with an ISO27001 audit, allowing them to ascertain whether they are able to obtain certification and provide advice on how to improve, if required, their ISMS in order to gain certification.