Michael Brophy, CEO of Certification Europe, makes a strong argument for companies here in Ireland to certify against the ISO 27001 Information Security Standard, especially in light of the recent data breaches in Bank of Ireland.  Michael is quoted in both The SiliconRepublic.com and in Saturday’s Irish Independent on the frustrations he feels regarding the lack of take up of the ISO 27001 Information Security Standard here in Ireland.

Michael highlights that in a number of other countries such as the UK, companies are obliged to comply with the ISO 27001 Information Security Standard.  He points out that in the UK all financial institutions have to meet the standard or otherwise the UK’s payment association (APACS) will not deal with them.  In Ireland Michael states the only financial organisation certified against the standard is a Credit Union in Waterford.  Most companies certified in Ireland are telecoms companies, data-centres or pharmaceutical companies.

I have to agree with Michael.  Too many organisations are paying lip service to information Security and are not investing the time or resources necessary to ensure the security of confidential information.  Businesses tend to think that information security is a technology problem and therefore there is a technical answer to it.  That simply is not the case.  Information security is a business issue and one that cannot be left solely to the IT department to deal with.  Not that IT people are not competent to deal with certain aspects of information security but the responsibility for something as important as security should be with senior management within the business.

One of the key requirements of the ISO 27001 Information Security Standard is that there must be senior management buy in.  This is not merely a signature on a project charter but evidence of ongoing involvement is required such as senior management signing off their acceptance for the risk management approach undertaken by the organisation. 

By implementing ISO 27001, organisations can demonstrate independent third party verification that their Information Security Management System meets an internationally recognised standard.  This provides a company, its staff, customers and partners with the confidence that they are managing their security in accordance with recognised and audited best practises. 

By adopting the risk and standards based approach to implementing an Information Security Management System in accordance with ISO 27001, companies can reap many advantages, not least being better able to demonstrate compliance with legal and industry regulatory requirements.

ISO 27001 is not difficult and indeed need not be expensive.  You can download a PDF copy of the standard for US $30 from the American National Standards Institute’s website.  By complying with the standard you can have confidence in your ISMS without having to seek certification.  Depending on your internal resources you can also run the project internally using the guidelines provided in ISO 27002.  Of course if you need external guidance and assistance we would be happy to discuss your requirements.