There are currently, 21 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
Select Interface Language:
ISO 17799 Resources
There are now quite a few BS7799, ISO27001 and ISO 17799 portals on the web offering commercial tools & products. Possibly the most complete is ISO 17799 and ISO 27001 Central.
Call for Papers
We are shortly to launch a content section for papers and articles on ISO 17799 implementation, BS7799, AS4444, ISO 27001, UNE71502, and information security generally. If you have produced a paper and would like us to publish it, please contact us via the feedback form above.
ISO 27001, ISO 27002 & ISO17799 User Group: Forums
17799.Com :: View topic - What factors are slowing the take-up of 7799 certification?
Why aren't more companies gaining 7799 certification?
Lack of government support / funding
[ 0 ]
Lack of excecutive awareness
[ 2 ]
Lack of multinationals requiring it of their suppliers
[ 1 ]
Confusion caused by the apparent range of competing standards
[ 2 ]
Apparent lack of business drivers for certification
[ 2 ]
Total Votes : 7
Joined: Jul 12, 2004 Posts: 3 Location: UK
Posted: Mon Jul 12, 2004 11:04 pm Post subject: What factors are slowing the take-up of 7799 certification?
Why do you think that more companies aren't gaining 7799 certification, given that its been around for a while?
The take-up seems slower than was the case for certifications from other disciplines, e.g. BS5750/ISO9000. There may be a number of reasons for this:
- lack of government support / funding
- lack of excecutive awareness
- lack of multinationals requiring it of their suppliers
- confusion caused by the apparent range of competing standards
- apparent lack of business drivers for certification
Have you identified other reasons? Which do you think are the most important?
There are many firms certified, and it's a rapidly growing number.
Maybe it's just a relative thing, as I don't have much exposure to ISO 9000. I think it is also worth bearing in mind though that ISO 9000 applies to ALL firms. IS simply isn't applicable to some of them.
Posted: Tue Jul 13, 2004 6:08 pm Post subject: Is this the case?
My comments are particularly aimed to the UK (I fully accept that 7799 certification in Japan is much more significant).
Let me quote Chris Potter from PwC who led the DTI Information Security Breaches Survey 2004. "BS7799 is the leading standard in the world [for security]. But neither awareness nor those who have implemented it have increased in the two years since the last report".
There are 26,000 UK firms certified to ISO 9000 and about 100 to BS7799. Whilst ISO 9000 (and before it BS5750) have been around for much longer, take-up was significantly ahead of 7799 after the same time. That means that there are 25,900 firm who recognise the need to certify their QMS, but not their ISMS
And are there really a significant number of firms who have NO information assets to protect? Not in my experience. Even my plumber needs to backup his PC and be alert to the Data Protection implications of his customer records.
Sorry, but IMHO Chris Potter is definitely talking out of his hat.
Awareness of the standard now, compared with two years ago? No comparison at all. All the metrics I have seen (and yes, this includes the UK) shows dramatic growth.
I think it's important to understand that there are different levels in play here. Not everyone needs certification, or certainly, the sort of consultancy that his firm offers (which may affect his perception).
For many, broad compliance with the standard is more than adequate. Others will measure that compliance specifically and report on it. Others will prepare for certification. And some will go for certification.
It's a complex picture with varying growth in each of these areas. But growth there is. There is certainly SUBSTANTIAL growth in the earlier stages.
And oh yes, and your comparison with ISO 9000. There is a big difference: your local plumber might actually obtain a direct marketing edge through ISO 9000, in that he can blabber about the 'quality' of his service. Would the security of his PC actually make any difference at all to his marketing? I don't think so.
Security is a major differentiator for many industries, but just not as many as quality.
As for metrics, look at the increasing numbers of searches for the standard, the increasing circulation of the ISO 17799 Newsletter (I subscribed when it was less than 500!) or even the emergence of a forum like this one.
From my perspective the growth is there, it is clear, and it shows no sign of slowing.
Posted: Tue Jul 13, 2004 11:58 pm Post subject: But why is it taking so long?
I agree with you that I've seen much more interest and activity in 7799 within the last two years. My question is “Why aren't more companies gaining 7799 certification?”
The standard has been around (largely in its current form) since first published as a Code of Practice in 1989. That’s fifteen years! I know that BS7799 certification scheme has only become available more recently, but that doesn’t go a long way to explaining why only about 100 organisations in the UK have gained certification to date.
[I am CSO of one of those 100 organisations. The reason for my post was a desire to understand what issues have prevented more organisations from joining us (rather than to cast aspersions on the standard itself)]
I agree that quality is a major differentiator in many more industries than information security. But Corporate Governance bears some relevance to most organisations, and increased awareness of the need to manage the risks relating to information security is one of key drivers for increased interest in 7799 (IMHO).
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum