UK firms embrace ISO 27001 security standard
Despite vendor scaremongering, UK firms are doing better than most when it comes to achieving security compliance
Bob Tarzey: ISO 27001 is an easy thing to commit to, but a hard thing to complete
Security vendors have been quick to suggest that UK organisations are jeopardising IT security and compliance by not implementing effective data loss prevention policies.
But statistics show that the UK is actually way ahead of its US and European rivals in achieving ISO 27001 certification.
The ISO 27001 family of standards provides an internationally recognised model for the implementation of effective information security management system (ISMS) within an organisation.
It is widely touted as a data security framework against which companies can check the trustworthiness of suppliers, business partners, customers and vendors when exchanging sensitive information.
According to the international register of ISMS certificates, 444 UK companies have achieved ISO 27001 certification so far, lagging only behind Japan and India, and way ahead of Germany (137) and the US (96).
The number of companies to have achieved certification globally is 6,443, though Japan has a staggering 3,499 of that total.
Yet despite the strong indication that UK organisations are by far the most proactive supporters of ISO 27001 certification in the western hemisphere, various surveys insist that UK companies are struggling to implement compliance policies in support of the standard.
Research based on 270 interviews with senior IT staff published in April this year, conducted by Quocirca and commissioned by CA, concluded that UK IT departments were struggling to deal with ISO 27001 compliance issues, for example.
So why the discrepancy and what, if anything, appears to make UK companies recognise the value of ISO 27001 certification more than so many organisations in other countries? Are security software and service vendors overstating the case in a bid to keep their own sales people busy and their revenue stream healthy?
Stuart Bonell is associate consultant at consultancy BroadGroup, which recently published a report into the data security issues affecting datacentre providers, which found that ISO 27001 certifications represented the most popular approach to security management in this sector. He thinks that ISMS register numbers sound low, and suspects there are more companies with ISO 27001 certification than are on the register.
“It did start out as a British standard, which could be one reason why it is more popular here, while the US equivalent is the statement on auditing standards (SAS) 70 type II standard – lots of datacentre companies have them both now,” Bonell says.
And Quocirca analyst Bob Tarzey says that there is big difference between committing to ISO certification and actually achieving the necessary controls.
“ISO 27001 is an easy thing to commit to, but a hard thing to complete. Lots of the controls are optional, and it is just not enough to guarantee information security management just by saying you have adopted it,” he says.
“You have to look at exactly what the organisation has achieved in attaining that certification – it could be two firms who have committed to it, but one is much further down the road than the other.”
The ISO does not carry out certification checks itself, but approves third party consultancy firms to carry out appropriate checks before certification is awarded.
Andrew Kellet, senior analyst at research company Ovum, says software vendors will always argue that compliance for standards like ISO 27001 or PCI-DSS needs to be higher.
“There is always a case of vendors pushing the limit saying ‘This is a requirement, this is what you should be doing, you need this’, and takeup is never going to be enough from their perspective. At the end of the day, it is a selling tool,” he says.
That’s not to say there isn’t a strong argument for ISO 27001 accreditation among some, but not all, UK organisations.
Accountancy and audit company PricewaterhouseCoopers recently estimated that 40 per cent of large organisations are being asked to demonstrate compliance with the standard.
“ISO 27001 is pretty much now accepted as a worldwide base level standard for security outside of government,” says Bonell.
“The Financial Services Authority (FSA) references it as do other regulatory bodies, and if you have done ISO 27001 you are well on the way to achieving other standards for specific regulations.”
Nathan Jamieson is information security officer at the GB Group, a UK company that specialises in identity management, not just to combat ID fraud, money laundering and under-age gambling, but also to aid identity based marketing and CRM strategies. Its customers include the Co-operative Bank, mobile operator O2, fashion retailer Laura Ashley and utility company Severn Trent water.
“ISO 27001 provides a commonality of language that is beneficial to us, and the framework is publicly available. We need to provide an element of trust for our clients, and considered ISO 27001 as the de facto standard,” he says.
“It is an effective barometer of where you are, and has certainly opened doors in government departments and financial organisations that would otherwise have been closed to us.”
Prior to achieving ISO 27001 certification earlier this month, GB Group had been undergoing 50-70 information security audits a year, including those from data suppliers and prospective and existing customers.
“The natural step was for us to provide independent assurance that is always only six months old [ISO 27001 certification can be assessed once or twice a year, followed by a full audit every three years],” says Jamieson.
UK firms embrace ISO 27001 security standard
Despite vendor scaremongering, UK firms are doing better than most when it comes to achieving security compliance
One factor widely accepted to be holding organisations back from adopting the ISO 27001 framework is the cost and complexity of implementing it.
This varies hugely depending on where the company starts from, and the volume and range of individual security management processes that need to be certified – anything from a few thousand to hundreds of thousands of pounds.
The standard itself can be purchased for 130 Swiss francs (£78) at the ISO web site, while the final certification usually costs as much as the external consultancy man hours needed to check appropriate security management procedures are in place, plus a small registration fee.
“There are two aspects to it: getting yourself ready, then the certification itself. If an organisation is starting from scratch and needs to implement all the security procedures and the stuff around it, I can easily see a figure of £100,000 plus,” says Bonell.
“But that does not mean they cannot do some of that themselves – there is a lot of self-help material out there, and the accreditation itself might only take a few days of consultant fees.”
“There will be some costs around management systems and filling in any gaps in their security infrastructure with required software tools,” says Tarzey.
Many third-party companies sell ISO certification services whereby they send somebody along to carry out appropriate checks then issue the certificate. The GB Group chose the British Standards Institute (BSI) as its auditor, for example, but chose to carry out all the preparation itself.
“It [the BSI] provided us with advice and feedback, and road-tested the management system itself, followed by a 12-week period of bedding in, then a four-day audit resulting in the certification,” says Jamieson. “As an information security professional, I am really familiar with the standard and have a good technical background, meaning GB Group has a dedicated internal resource to commit time to it.”
Another UK ISO certification body, UKICM, estimates it can deliver certification for as little as £1,495 + VAT, including the audit and registration, for example.
That figure does not include the price of any additional hardware or software required to achieve certification, with annual ISO auditing costing from £485 upwards.
While many organisations may still not see where committing time, money and resources to ISO 27001 certification delivers sufficient value, Kellet warns them to be certain they can do without it, as failure to comply could cost them dearly in fines and reputation.
“I would advise every organisation to have a properly thought through security strategy at least, with appropriate controls and understanding of the risk involved for not having those controls in place,” he says.