iso 27001 information security management systems trends and developments
DESCRIPTION
Michael Brophy's ISO 27001 Information Security Management Systems Trends and Developments presentation. The presentation was delivered at our Information Security Breakfast Seminar (Nov 2011)TRANSCRIPT
1
ISO 27001 Trends and Developments
Michael BrophyCEO
Certification Europe
2
3
Glo
ba
l take-u
p o
f ISO
27001
0
10
00
20
00
30
00
40
00
50
00
60
00
70
00
80
00
Apr-99
Jan-02
Jan-04
Dec-04
Nov-05
Jan-06
Oct-06
Jan-07
Feb-07
Mar-07
Apr-07
Aug-07
Oct-07
Dec-07
Aug-08
Dec-08
Sep-09
Nov-09
Dec-09
Dec-11
To
tal N
o. o
f ISO
27001 C
ertific
atio
ns
Tota
l
4
Top Ten Countries with ISO 27001
0
500
1000
1500
2000
2500
3000
3500
4000
4500
Certificates
5
Which sectors are prominent?
IT & IT Services (Security)
Financial Services
Government & Semi-State (extensive)
Telecoms
Printing
Software
Consultancy
Healthcare
Online Gambling & Betting *
Infrastructure *
6
Why are organisations getting certified?
• First mover advantage still a factor, but not in the
ten major categories
• Tendering requirements
• Supply chain pressure
• In some sectors it is virtually a market requirement
(E.g. hosting and datacentres)
7
What Standards or Guidelines have your customers required you to comply with?
Not aware of any such demands
Other
PCI (payment Card Industry)
Government related requirements
A recognised standard like ISO 27001
38%
32%
6%
16%
6%
30%
26%
37%
31%
41%
Large Organisations
Small Organisations
Source: PWC Information Security Breaches Survey 2010 fig 15
Why are organisations getting certified?
8
9
Recent Trends (1)
• High Profile Data Breaches
10
Recent Trends (1)
• High Profile Data Breaches
11
Recent Trends (2)
• Supply Chain Pressure
Security Policy Guidelines (Telefónica O2 UK only)O2 attaches particular importance to the security of its own, its employees’ and its customers’ data.The reference standard for O2’s security policies is ISO27001 and the suppliers shall comply with the principles of that standard at all times.
12
Recent Trends (3)
• Major incidents
13
Recent Trends (3)
• Major incidents
14
Office of the Australian Information Commissioner:
“noted that the company had a wide range of security
safeguards in place for the protection of personal
information including physical, network,
communications security and maintained security
standards… ISO 27001”
Recent Trends (3)
• Major incidents
15
16
What is coming down the line (1)
• Expect to see ISO 27001 (& BS 25999)
featuring in many more tendering
requirements
• Particularly when IT services are
outsourced
17
What is coming down the line (2)
• ISO 27001 used as a basis to address
the risks associated with Cloud
Computing
18
What is coming down the line (3)
• Increasing reliance being placed upon
ISO 27001 by regulatory bodies
19
What is coming down the line (3)
• APACS & Standard 55
20
What is coming down the line (3)
• "Outsourcing requires not only a
written contract but also active
measures to ensure data is secure in
the “cloud”. If a cloud provider has
taken the trouble to certify to
recognised security standards such as
ISO 27001… this provides significant
reassurance about data security."
Irish Data Protection Commissioner Annual Report 2010
21
What is coming down the line (3)
• Financial Services Authority (UK)
• "FSA Handbook" in SYSC 3A.7.8 that
"firms should have regard to
established security standards such as
ISO17799 (Information Security
Management)."
22
What is coming down the line (3)
• In essence evolving to become a key
tool in overall risk management as
opposed to an isolated activity