What factors are slowing the take-up of 7799 certification?

[jmb]

Why do you think that more companies aren't gaining 7799 certification, given that its been around for a while?

The take-up seems slower than was the case for certifications from other disciplines, e.g. BS5750/ISO9000. There may be a number of reasons for this:
- lack of government support / funding
- lack of excecutive awareness
- lack of multinationals requiring it of their suppliers
- confusion caused by the apparent range of competing standards
- apparent lack of business drivers for certification

Have you identified other reasons? Which do you think are the most important?

[Alex5]

What? Is this actually the case?

There are many firms certified, and it's a rapidly growing number.

Maybe it's just a relative thing, as I don't have much exposure to ISO 9000. I think it is also worth bearing in mind though that ISO 9000 applies to ALL firms. IS simply isn't applicable to some of them.

[jmb]

My comments are particularly aimed to the UK (I fully accept that 7799 certification in Japan is much more significant).

Let me quote Chris Potter from PwC who led the DTI Information Security Breaches Survey 2004. "BS7799 is the leading standard in the world [for security]. But neither awareness nor those who have implemented it have increased in the two years since the last report".

There are 26,000 UK firms certified to ISO 9000 and about 100 to BS7799. Whilst ISO 9000 (and before it BS5750) have been around for much longer, take-up was significantly ahead of 7799 after the same time. That means that there are 25,900 firm who recognise the need to certify their QMS, but not their ISMS

And are there really a significant number of firms who have NO information assets to protect? Not in my experience. Even my plumber needs to backup his PC and be alert to the Data Protection implications of his customer records.

[Alex5]

Sorry, but IMHO Chris Potter is definitely talking out of his hat.

Awareness of the standard now, compared with two years ago? No comparison at all. All the metrics I have seen (and yes, this includes the UK) shows dramatic growth.

I think it's important to understand that there are different levels in play here. Not everyone needs certification, or certainly, the sort of consultancy that his firm offers (which may affect his perception).

For many, broad compliance with the standard is more than adequate. Others will measure that compliance specifically and report on it. Others will prepare for certification. And some will go for certification.

It's a complex picture with varying growth in each of these areas. But growth there is. There is certainly SUBSTANTIAL growth in the earlier stages.

And oh yes, and your comparison with ISO 9000. There is a big difference: your local plumber might actually obtain a direct marketing edge through ISO 9000, in that he can blabber about the 'quality' of his service. Would the security of his PC actually make any difference at all to his marketing? I don't think so.

Security is a major differentiator for many industries, but just not as many as quality.

As for metrics, look at the increasing numbers of searches for the standard, the increasing circulation of the ISO 17799 Newsletter (I subscribed when it was less than 500!) or even the emergence of a forum like this one.

From my perspective the growth is there, it is clear, and it shows no sign of slowing.

[jmb]

I agree with you that I've seen much more interest and activity in 7799 within the last two years. My question is “Why aren't more companies gaining 7799 certification?”

The standard has been around (largely in its current form) since first published as a Code of Practice in 1989. That’s fifteen years! I know that BS7799 certification scheme has only become available more recently, but that doesn’t go a long way to explaining why only about 100 organisations in the UK have gained certification to date.

[I am CSO of one of those 100 organisations. The reason for my post was a desire to understand what issues have prevented more organisations from joining us (rather than to cast aspersions on the standard itself)]

I agree that quality is a major differentiator in many more industries than information security. But Corporate Governance bears some relevance to most organisations, and increased awareness of the need to manage the risks relating to information security is one of key drivers for increased interest in 7799 (IMHO).

[Alex]

"I know that BS7799 certification scheme has only become available more recently" - I think there is your answer, coupled with the fact that it isn't an ISO standard yet.

The significant momentum gained over the last 2 years will certainly be enough to carry this forward, IMHO.

[Biljana]

I see that the last post is posted a really long time ago - but to inform you - we finally got one company in Croatia certified to BS 7799. So I believe the things move on.