Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Bad Advice from the Uninformed and Inexperienced Hurt Information Security & Privacy Efforts | Main | U.S. Dept. of Homeland Security Makes 14 Privacy Impact Assessments Available »

Are the U.S. Numbers Planning For ISMS (ISO 27001) Certification Really At 80%?

Over the weekend I was reading the latest issue of SC Magazine, and some of the statements within the article "U.S. lags in ISO 27001 compliance" made me go, "Huh?"

The title is certainly true. I wrote about Information Security Management System (ISMS) certification, based upon BS7799, which has now basically been renamed ISO 27001 certification, around a year ago in "ISMS Certification in the U.S." At that time I spoke with a small but nice representation of U.S. based organizations, and only one, a multinational company with a very limited ISMS scope, was planning on getting ISMS certification. After that I also learned of a very few U.S. consultancies planning for ISMS certification, to make themselves more competitive.

There are still only 50 U.S. based businesses that actually have been ISMS certified.

Yes, this is far behind many other countries; with Japan leading the way with 2,256 ISMS certifications. However, Japanese organizations must follow laws requiring ISMS certification.

So some of the statements made within the article that were attributed to John DiMaria, "a product manager at BSI Management Systems, a consulting company that helps organizations meet international certification standards" caught my eye.

The first statement I question attributed to Di Maria is,

"The U.S. has the most laws for security and privacy but the most security breaches of any country in the world."

I take issue with this statement. It may seem so in the past three years when reporting breaches has become a requirement of growing numbers of U.S. state breach notice laws. However, as of right now there are no other countries that I'm aware of with active incident and breach reporting laws. However, even without this legal requirement there are still many breaches and incidents reported throughout the world. How would these numbers raise if similar breach laws were active worldwide?

I'd like to see some number to support this statement.

I think a more accurate statement is that the U.S. has more REPORTED breaches than other countries, but there are no statistics to determine how many breachees and incidents that occur worldwide...they just are not tracked.

However, the report states Di Maria "blames this [more breaches in the U.S. than elsewhere] on American companies' fragmented approach to security."

Yes, it is very hard to comply with literally hundreds of U.S. federal and state level data protection and privacy laws. However, the conclusion he's reported as giving does not follow sound reasoning.

Another interesting statement,

"A great majority, perhaps 80 percent, of American companies, have ISO 27001 compliance on their road map," he adds. Most are looking "three to four years" away, however, for compliance."

To me the way this sentence is positioned within the entire article, "compliance" implies ISO 27001 certification.

This just does not fit with what information security leaders and practitioners have been telling me. Yes, a great many of them are looking at ISO 17799:2005 (the standards supporting BS7799 ISMS certification, which is now ISO 27001...arrrgghh..all these name/number changes!) to base their information protection controls upon, but not formally through certification. I still have not run across more than the small handful that were planning to pursue ISMS certification a year ago.

Where is this 80% pursuing ISMS/ISO27001 certification coming from? What validation is there for this number?

Are any of you pursuing ISO 27001 certification? Or not? Please take this week's poll, to the right side of the screen and down a ways, and let me know!

I can't believe with the large numbers of organizations telling me that they are NOT pursuing ISMS (ISO 27001) certification that this 80% number is even close to being in the ballpark. But, perhaps I'm wrong...as we said in Missouri where I grew up, show me! :)

Tags:                        
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 13, 2007 8:56 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/487

Listed below are links to weblogs that reference Are the U.S. Numbers Planning For ISMS (ISO 27001) Certification Really At 80%?:

» Some Quick Items of Interest from RiskAnalys.is
I plan on following up yesterday’s discussion about modeling with specific application into security metrics tomorrow (or at least later this week), how the right model defeats FUD, but I have about a half a dozen things I thought you might like ... [Read More]

Tracked on August 20, 2007 7:42 AM

Comments

Rebecca, @ "To me the way this sentence is positioned within the entire article, "compliance" implies ISO 27001 certification."

The BSI guy said "...have ISO 27001 compliance on their road map..."

Clearly, what is said here is compliance towards ISO 27001.

Thats a different matter that there is "control mapping" to be done to demonstrate compliance to some requirement. IMHO ISO27001 would be a good facilitator for this.

Posted by: Etaoin Shrdlu | August 14, 2007 11:26 AM

Oh, I definitely agree ISO27001/BS7799 and the supporting ISO17799:2005 are documents that contain huge amounts of helpful guidance and should be utilized by all organizations to complement their information assurance activities!

But if you read the full article (which I didn't see online yet) the BSI guy implies certification is on the roadmap. However, I just don't see that many organizations in the U.S. that are planning to pursue formal certification...and many (to most?) don't know there is such certification.

Posted by: Rebecca | August 17, 2007 11:53 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.