Michael Brophy's ISO 27001 Information Security Management Systems Trends and Developments presentation. The presentation was delivered at our Information Security Breakfast Seminar (Nov 2011)
3. 1000
2000
3000
4000
5000
6000
7000
8000
Global take-up of ISO 27001
0
Apr-99
Jan-02
Jan-04
Total No. of ISO 27001 Certifications
Dec-04
Nov-05
Jan-06
Oct-06
Jan-07
Feb-07
Mar-07
Apr-07
Aug-07
Oct-07
Dec-07
Aug-08
Dec-08
Sep-09
Nov-09
Dec-09
Dec-11
Total
3
4. Top Ten Countries with ISO 27001
Certificates
4500
4000
3500
3000
2500
2000
1500
1000
500
0
4
5. Which sectors are prominent?
IT & IT Services (Security)
Financial Services
Government & Semi-State (extensive)
Telecoms
Printing
Software
Consultancy
Healthcare
Online Gambling & Betting *
Infrastructure *
5
6. Why are organisations getting
certified?
• First mover advantage still a factor, but not in the
ten major categories
• Tendering requirements
• Supply chain pressure
• In some sectors it is virtually a market requirement
(E.g. hosting and datacentres)
6
7. Why are organisations getting
certified?
What Standards or Guidelines have your customers required
you to comply with?
41%
A recognised standard like ISO 27001
31%
Large Organisations
37% Small Organisations
Government related requirements
26%
30%
PCI (payment Card Industry)
16%
6%
Other
6%
32%
Not aware of any such demands
38%
Source: PWC Information Security Breaches Survey 2010 fig 15 7
11. Recent Trends (2)
• Supply Chain Pressure
Security Policy Guidelines (Telefónica O2 UK only)
O2 attaches particular importance to the security of its own, its
employees’ and its customers’ data.
The reference standard for O2’s security policies is ISO27001 and the
suppliers shall comply with the principles of that standard at all times.
11
14. Recent Trends (3)
• Major incidents
Office of the Australian Information Commissioner:
“noted that the company had a wide range of security
safeguards in place for the protection of personal
information including physical, network,
communications security and maintained security
standards… ISO 27001”
14
16. What is coming down the line (1)
• Expect to see ISO 27001 (& BS 25999)
featuring in many more tendering
requirements
• Particularly when IT services are
outsourced
16
17. What is coming down the line (2)
• ISO 27001 used as a basis to address
the risks associated with Cloud
Computing
17
18. What is coming down the line (3)
• Increasing reliance being placed upon
ISO 27001 by regulatory bodies
18
19. What is coming down the line (3)
• APACS & Standard 55
19
20. What is coming down the line (3)
• "Outsourcing requires not only a
written contract but also active
measures to ensure data is secure in
the “cloud”. If a cloud provider has
taken the trouble to certify to
recognised security standards such as
ISO 27001… this provides significant
reassurance about data security."
Irish Data Protection Commissioner Annual Report 2010
20
21. What is coming down the line (3)
• Financial Services Authority (UK)
• "FSA Handbook" in SYSC 3A.7.8 that
"firms should have regard to
established security standards such as
ISO17799 (Information Security
Management)."
21
22. What is coming down the line (3)
• In essence evolving to become a key
tool in overall risk management as
opposed to an isolated activity
22
23. Thank you
mbrophy@certificationeurope.com
www.certificationeurope.com
23