Study: ISO 27001 recommended, but not always enforced
A new report from IT Governance reveals that whilst almost all security practitioners recommend the ISO 27001 standard for improving a company's security posture, only half of these adhere to the standard and even fewer have the appropriate personnel in place to manage it.
The ISO 27001 Global Report 2015 is based on a study of 245 senior executives and practitioners around the world and it reveals that almost all of these (96 percent) believe that ISO 27001 plays an important role in improving their firm's cyber-security defences.
Nearly 70 percent of respondents said that improving information security was the biggest driver for implementing the standard, followed by a requirement “to align with information security best practice” (62 percent) and “gaining a competitive advantage” (57 percent). Improved information security is also seen as the single most important benefit of ISO 27001 implementation (51 percent).
Alan Calder, founder and executive chairman of IT Governance, said in a statement: “Considering that ISO 27001 is now a regular tender and contract requirement, it is unsurprising that certification to the Standard is popular, as our survey has revealed. An ISO 27001 certificate is a simple and credible way of demonstrating to clients and stakeholders that an organisation has implemented best-practice information security processes and can be trusted.”
However, according to the report, only 40 percent of these organisations had achieved ISO 27001 certification with a further 44 percent working towards compliance. Some 16 percent said that they are not planning to certify their information security management system (ISMS) although 68 percent said that achieving certification is an “investment that is fully justified by the benefits.”
This awareness on the benefit appears to be filtering through the supply chain and to company CEOs, with over a third of respondents (38 percent) saying that they had no difficulty in securing CEO buy-in on the implementation. Another fifth, however, said that it was most challenging to convince board that information security is critical business issue.
“The evidence that more than one-third of the boards support ISO 27001 implementation suggests growing awareness of the benefits of the standard,” added Calder. “However, this positive result is overshadowed by the fact that 23 percent of respondents admit that securing sufficient budget for their ISO 27001 project remains their biggest challenge, and a further 13 percent struggled to secure permission to employ sufficient human resources to deliver the project.”
Other issues facing the companies (which had revenues ranging from £3 million to £300 million on ISO compliance including raising staff awareness (45 percent) and ensuring the right level of competence (44 percent). Only 23 percent of firms employed a dedicated full-time ISMNS manager, with the rest delegating to IT managers, CISOs, CIOs and compliance managers.
Furthermore, 44 percent of respondents admitted that the person managing their ISMS doesn't have a formal ISMS qualification. Despite this lack of relevant training, 28 percent are not planning to train their ISMS manager, while 35 percent do not have control over that decision. Only 37 percent are planning to train their existing ISMS managers.
Subsequently, almost half (40 percent) of respondents say they use external consultants to help them prepare for certification.