iso 27001 information security management systems trends and developments

1

ISO 27001 Trends and Developments

Michael BrophyCEO

Certification Europe

2

3

Glo

ba

l take-u

p o

f ISO

27001

0

10

00

20

00

30

00

40

00

50

00

60

00

70

00

80

00

Apr-99

Jan-02

Jan-04

Dec-04

Nov-05

Jan-06

Oct-06

Jan-07

Feb-07

Mar-07

Apr-07

Aug-07

Oct-07

Dec-07

Aug-08

Dec-08

Sep-09

Nov-09

Dec-09

Dec-11

To

tal N

o. o

f ISO

27001 C

ertific

atio

ns

Tota

l

4

Top Ten Countries with ISO 27001

0

500

1000

1500

2000

2500

3000

3500

4000

4500

Certificates

5

Which sectors are prominent?

IT & IT Services (Security)

Financial Services

Government & Semi-State (extensive)

Telecoms

Printing

Software

Consultancy

Healthcare

Online Gambling & Betting *

Infrastructure *

6

Why are organisations getting certified?

• First mover advantage still a factor, but not in the

ten major categories

• Tendering requirements

• Supply chain pressure

• In some sectors it is virtually a market requirement

(E.g. hosting and datacentres)

7

What Standards or Guidelines have your customers required you to comply with?

Not aware of any such demands

Other

PCI (payment Card Industry)

Government related requirements

A recognised standard like ISO 27001

38%

32%

6%

16%

6%

30%

26%

37%

31%

41%

Large Organisations

Small Organisations

Source: PWC Information Security Breaches Survey 2010 fig 15

Why are organisations getting certified?

8

9

Recent Trends (1)

• High Profile Data Breaches

10

Recent Trends (1)

• High Profile Data Breaches

11

Recent Trends (2)

• Supply Chain Pressure

Security Policy Guidelines (Telefónica O2 UK only)O2 attaches particular importance to the security of its own, its employees’ and its customers’ data.The reference standard for O2’s security policies is ISO27001 and the suppliers shall comply with the principles of that standard at all times.

12

Recent Trends (3)

• Major incidents

13

Recent Trends (3)

• Major incidents

14

Office of the Australian Information Commissioner:

“noted that the company had a wide range of security

safeguards in place for the protection of personal

information including physical, network,

communications security and maintained security

standards… ISO 27001”

Recent Trends (3)

• Major incidents

15

16

What is coming down the line (1)

• Expect to see ISO 27001 (& BS 25999)

featuring in many more tendering

requirements

• Particularly when IT services are

outsourced

17

What is coming down the line (2)

• ISO 27001 used as a basis to address

the risks associated with Cloud

Computing

18

What is coming down the line (3)

• Increasing reliance being placed upon

ISO 27001 by regulatory bodies

19

What is coming down the line (3)

• APACS & Standard 55

20

What is coming down the line (3)

• "Outsourcing requires not only a

written contract but also active

measures to ensure data is secure in

the “cloud”. If a cloud provider has

taken the trouble to certify to

recognised security standards such as

ISO 27001… this provides significant

reassurance about data security."

Irish Data Protection Commissioner Annual Report 2010

21

What is coming down the line (3)

• Financial Services Authority (UK)

• "FSA Handbook" in SYSC 3A.7.8 that

"firms should have regard to

established security standards such as

ISO17799 (Information Security

Management)."

22

What is coming down the line (3)

• In essence evolving to become a key

tool in overall risk management as

opposed to an isolated activity

23

Thank you

mbrophy@certificationeurope.com

www.certificationeurope.com