One third of businesses have not yet considered implementing ISO 27001 ISMS

(10/07/2009)

According to Activity's research, one third of respondents who have considered, but not implemented, an Information Security Management System (ISMS) such as ISO 27001, thought the cost of doing so would be prohibitive. A similar proportion (29 per cent) of respondents who have actually implemented such a system, also had cost as their top concern.

Activity’s survey also found that 40 per cent of companies had already implemented ISO 27001 or a similar ISMS, while nearly one quarter (24 per cent) had considered it and decided not to go ahead. Worryingly, over one third (36 per cent) have not yet even considered implementing ISO 27001 or an equivalent system.

Of those organisations that have already implemented an ISMS, the greatest area of concern when considering such a system, was the potential disruption that the process would have on the business.

Commenting on the research, Neil O’Connor, managing director at Activity said: “The findings show that organisations are potentially exposing their businesses to unnecessary risk by not implementing adequate security and management processes. To address the concerns that they may have over the cost of implementation, we are offering businesses a free scoping service and a fixed price consultancy project to enable them to achieve ISO 27001 accreditation with the minimum of disruption to their business.”

Activity’s approach to implementing an information security management system includes the following step-by-step method:
• Free initial discussion and scoping
• Fixed price Gap Analysis leading to detailed ISO 27001 Implementation Plan
• Agreement with client on how best to implement plan
• Fixed fee agreed for Activity’s involvement.

The research highlights a potential contrast between the adoption of management processes within the public and private sectors. Whilst organisations operating within the public sector are contractually required to adhere to stringent HM Government standards, the research confirms that 64 per cent of the commercial organisations surveyed have not yet implemented an Information Security Management System.

Neil O’Connor went on to highlight that, in reality, costs can be carefully controlled and managed throughout the accreditation process and that working with a specialist consultancy does not have to mean taking a rigid approach. “We can typically build a detailed implementation plan for ISO 27001 within ten days and then work alongside clients to work out the best way to deliver it. Often this involves clients implementing part of the plan themselves working alongside our experienced consultants.”

Related topics:  Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources