Companies are not implementing an information security management system (ISMS) due to cost reasons.


A survey by consultancy firm Activity found that one third of respondents have considered, but not implemented, an ISMS such as ISO 27001, but believed that the cost of doing so would be prohibitive. Similar proportions of respondents who have implemented such a system also had cost as their top concern.


The survey also found that 40 per cent of companies had already implemented ISO 27001 or a similar ISMS, while 24 per cent had considered it and decided not to go ahead.


Over one third (36 per cent) have not yet even considered implementing ISO 27001 or an equivalent system.


Activity managing director Neil O'Connor claimed that costs can be carefully controlled and managed throughout the accreditation process.


O'Connor said: “The findings show that organisations are potentially exposing their businesses to unnecessary risk by not implementing adequate security and management processes.


“We can typically build a detailed implementation plan for ISO 27001 within ten days and then work alongside clients to work out the best way to deliver it. Often this involves clients implementing part of the plan themselves working alongside our experienced consultants.”