Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Speaking of Social Networking Sites... | Main | EU Data Protection Directive 95/46/EC: Member Countries »

The Pursuit...or Not...of ISO 27001/ISMS/BS7799 Certification

Last week my blog poll was, "Is your organization planning to pursue ISO 27001 certification in 2007 or 2008?"

I asked this after reading an SC Magazine article that I recently blogged about, "Are the U.S. Numbers Planning For ISMS (ISO 27001) Certification Really At 80%?"

As I had indicated, based upon my many discussions with a very wide range of CISOs, I thought this number was way too high.

And now for the results of my *ADMITTEDLY UNSCIENTIFIC WEBPOLL*...drum roll, please; Thhuudddrrrrrrrrrrrrr...

7% - Yes; my organization is based outside the U.S.
13% - Yes; my organization is based in the U.S.
0% - No; my organization is based outside the U.S.
27% - No; my organization is based in the U.S.
7% - Maybe, it is still being discussed; my organization is based outside the U.S.
13% - Maybe, it is still being discussed; my organization is based in the U.S.
33% - Huh? What the heck is ISO 27001 certification? I don't know if we're doing this or not.

This represents what I think is probably pretty close to what is realistic, even given the unscientific nature of the poll.

Most of the information security officers with U.S.-based offices that I've spoken with have indicated their first concern is getting into compliance with their dozens...and in many cases hundreds...of data protection and privacy laws, regulations and contractual requirements. They have told me that while they recognize ISMS certification covers most of the requirements, that there are some significant gaps that are very important for them to address.

They also often see the time investment (ISMS certification can take a very long time... anywhere from 6 months up to 2 years or even more depending upon the scope of the certification) as being too significant.

Establishing the ISMS certification scope is also an issue that they have said they see problems dealing with in addition to their more pressing compliance requirements.

So, 20% indicate they are pursuing ISMS certification, with 13% being based in the U.S., and 20% are considering ISMS certification, with 13% in the U.S.

Even if the maybe's turn to yes's, this would still be just 26% of those based in the U.S. going for certification; far below the 80% projected.

I believe many, and possibly most, of the U.S based organizations *ARE* using ISO 17799:2005 to help determine their security controls, but that the actual numbers who will actively pursue ISMS certification will still be low throughout the near future...2 to 4 years or so.

ISO 17799:2005...transitioning soon to ISO 27002...is a *GREAT* set of potential information security controls for organizations to consider. If you are responsible for information security or privacy consider using them as a good set of starting points to address the risks you've identified for your organization. Be sure to also use the OECD privacy principles to ensure the issues related to personally identifiable information (PII) are addressed.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 21, 2007 10:09 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/494

Comments

Hi Rebecca.

FYI ISO/IEC 17799:2005 was renamed ISO/IEC 27002:2005 last month.

There's more detailed info on the ISO27k standards at www.iso27001security.com

Kind regards.
Gary

Posted by: Gary Hinson | August 22, 2007 12:58 AM

Thanks for the link, Gary!

I knew the rename was coming soon...and now it's here! :)

Posted by: Rebecca | August 22, 2007 8:44 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.