ISO 27001 Global Survey

The facts and the figures underlying

the growth of ISO 27001 world-wide
Contents

Foreword 2
Introduction 3

The Findings 4

Who is adopting ISO 27001? 4

Size of Organisation adopting ISO 27001? 5

Who manages an ISMS within organisations? 5

Why do organizations seek certification? 6

What are the challenges to implementing ISO 27001? 7

What is involved in getting certified? 8

Costs 9

Cross-certification 10

After certification... 11

1 ISO 27001 Global Survey

 ISO 27001 Global Survey
The facts and figures underlying the
growth of ISO 27001 world-wide.

Foreword
There has been tremendous growth in the number of organizations world-wide that have implemented and been
certified to ISO 27001.

As a certification body involved in assessing and certifying organization to the standard, we often wondered what
was really driving this growth, and what did those managers who actually implemented 27001 really think of it
once they had been certified.

Over the years we were frustrated at the lack of information on this topic. True, there were any number of surveys
on information security and market trends, but none of them approached the issue from the perspective of ISO
27001. So, in 2007 we gave up looking for the answers in trade journals and the internet, and undertook our
own research. To the best of my knowledge this is the first time anyone has undertaken a global survey on ISO
27001.

I feel that the findings contained in this report provide a real insight into the uptake of ISO 27001 over recent years,
and for the first time provides some hard facts and figures on a topic which was only guessed at previously.

I take real pride in the size of the survey, with 312 respondents from a broad range of sectors, it can claim to be
a truly authoritive sample of those organizations which have implemented ISO 27001 in recent years.

I would like to express my personal thanks to the hundreds of individuals who gave up a few minutes of their own
time to complete the questionnaire and record their experiences and opinions - without whom this survey would
simply not exist.

I hope that you find the survey of interest and use, and would always welcome any comments or feedback you
may have _ positive or negative to (feedback@certificationeurope.com). The first ISO 27001 Global survey sets
an important benchmark and establishes a factual basis for future comparison - and on that note I look forward
to introducing the Second Global survey in the near future.

Michael Brophy
CEO - Certification Europe - January 2008.

2 ISO 27001 Global Survey

Introduction
BS 7799 and now ISO 27001 has experienced impressive growth over recent years, both in terms of the number
of organizations voluntarily adopting the standard, and its proliferation across the globe. Certification Europe
has for many years conducted research to chart the uptake of the standard. In 2007 we commenced a research
project to survey for the first time those managers actually involved in the implementation and maintenance of
information security management systems (ISMS). The research findings are presented in this report, and form
the first global survey of ISO 27001 ever undertaken.

A major emphasis of this research was to provide an insight into the rapid growth of ISO 27001 and establish
base-line facts about the organizations which have been implementing the standard. We would hope that this
research will provide a clearer picture about why organizations have chosen to adopt ISO 27001, the challenges
they faced, and the benefits which they feel have accrued from this process.

Certification Europe structured its survey around three main issues:

• Information about the organizations which have adopted the standard and the individuals responsible for
managing information security,

• Information about why the organizations wanted to get certified to ISO 27001 and the challenges they
faced,

• Information about the maintenance of the system after certification and the perceived benefits (if any)
which have been realized.

The research was conducted over a four month period in 2007 and involved completion of a questionnaire
by individual ISMS Managers (or their equivalent) in organizations which had already achieved certification to
ISO 27001. In total some 312 organizations responded to the questionnaire with contributions received from
organizations in India, Ireland, Italy, Hong Kong, Japan, the UK, and the United States.

3 ISO 27001 Global Survey

The Findings
Who is adopting ISO 27001?
While there has been much anecdotal evidence about which type of organisations have been at the forefront of
the adoption of ISO 27001, Certification Europe’s research has established that there are eleven main sectors
which dominate the market.

IT Services/Software Dev.
Telecommunication
Public Sector
Print Sector
Healthcare
Consultancy/Training

Pharmaceutical
Manufacturing
Financial Services
Construction
Legal
Other

0 5 10 15 20 25

(Adoption of 27001 by Sector - %)

The survey found that at 23% the ‘IT Services / software development’ sector is the primary adopter of ISO 27001
world-wide. This category incorporates a broad range of services including document management services,
outsourced IT managed services and software development, however, the lion’s share of organisations in this
sector (52%) are classed as IT security consultants.

The dominance if the IT security industry should be of little surprise as consultants seek certification to ISO 27001
as a means of demonstrating that they ‘practice what they preach’ and have the credentials and experience to
advise their client base.

The ‘Telco sector’ and ‘Public Sector’ both featured prominently with 14% of the market respectively. The Telco
Sector tended to be focused around the provision of secure hosting services and the operation of Data Centres,
while the Public Sector tended to have certifications which were limited to the IT / ICT department as a sub-set
within the larger organisation.

The ‘Print Sector’ accounts for 12% of the total market. However, it is worth noting that there was a strong
European weighting among respondents in this grouping, and specifically many of them would appear to have
been linked directly or indirectly to the UK payments industry (APACS). APACS has introduced a number of
initiatives to mandate the implementation of ISO 27001 within the security printing supply chain, and although
this issue was not specifically addressed within the research, it is possible that it has had a bearing on the uptake
of the standard in this sector.

4 ISO 27001 Global Survey

Perhaps the one area of surprise is amongst the sectors at the lower end of the scale. The financial and legal
sectors are synonymous with handling sensitive information and prioritise information security, yet at 3% and
2.5% of the market respectively, they are still amongst the slowest adopters of the international standard.

Size of Organisation adopting ISO 27001?

The survey attempted to get some insight as to the typical size of organisations adopting the standard, and the
findings would suggest that organisations are polarised at either end of the scale. 50% of organisations would fall
into the small to medium sized (SME) classification with less than 200 employees, while at the other end of the
scale some 38% of respondents were large organisations ranging in size from 600 to 15,000 employees.

Only 12% of organisations classified themselves as medium size ranging between 200 and 500 employees.

Size of Organisation

27%
38%
< 50 Employees
50 - 200

23% 200 - 500

12%
> 500 Employees

Who manages an ISMS within organisations?

We felt it was important to establish who was actually tasked with implementing and maintaining ISO 27001within
organisations. We found that just 12% of the 312 organisations surveyed had a full-time ISMS Manager. This
figure is perhaps surprising when we consider that more than a third (38%) of these organisations are large
organisations, with over 500 employees, and yet they typically do not have anyone with fulltime responsibility for
the management of their information security systems.

This finding appears to collaborate the comments made later in this survey that one of the key challenges to
implementing ISO 27001 is ensuring adequate resources are made available by senior management.

KEY
ding FINDING • Just 12% of organisations have a
full time ISMS Manager
In terms of the other 88% of ISMS managers, the survey found that they had to fulfil a range of responsibilities in
addition to their information security duties.

5 ISO 27001 Global Survey

 BCM Manager

Compliance

Other

IT Manager

Health & Safety Manager

Project Manager

Facilities Manager

Quality Manager

% 0 5 10 15 20 25 30

Linking the role of IT Manager with that of the management of the ISMS may seem a natural fit, however, it does
raise questions of independence. As some respondent noted, when IT operational issues become pressurized,
short-cuts may be taken at the expense of security. Without a separate ISMS management role, such actions may
go unchecked and security becomes relegated to a ‘poor second’ against operational delivery.

Why do organizations seek certification?

We asked ISMS Managers why their organizations had sought certification to ISO 27001. Almost 90% of the
managers responded that the standard had been adopted because it was recognized best practice in relation to
information security. 80% also responded that the organization had sought certification as a means of gaining
competitive advantage within their respective markets.

Interestingly only 8% reported that their competitors had already been certified, suggesting that those seeking
competitive advantage were doing so on the basis of being first movers in the market.

6 ISO 27001 Global Survey

 Reasons for adopting the standard
Mandated by a customer

Requirement when tendering

To gain competitive advantage

Competitors had already achieved certification

Because it was recognised as the best
practice standard
To ensure legal and regulatory compliance

Other

0 20 40 60 80 100
(%)

The survey found that over a quarter of the organisations had sought certification because it was a condition of
tenders, while in 16% of cases certification had been a mandatory requirement of a customer.

These figures reflect the increasing trend for organisations to push ISO 27001 down the supply chain, or look for the
standard as a condition of tender, particularly when key services are being outsourced. A number of respondents
noted that they had sought certification as a condition of tender when seeking to win business associated with
outsourced IT services (hosting, software development or networks and/or applications management).

Under the category of ‘Other’, a number of organisations had responded that certification was a means of being
granted access to restricted networks, such as Government VPNs, or in a few cases, it was a condition of being
granted remote access to client information.

KEY FINDING • 80% of organisations sought certification to ISO 27001

as a means of gaining competitive advantage
• 28% had been required to gain certification as a

condition of tender

What are the challenges to implementing ISO 27001?

We were interested in finding out what challenges ISMS managers had faced in implementing ISO 27001.

The findings suggest that the single biggest challenge is in bringing about the cultural change within an organisation
that information security requires. As one respondent noted, the difficulty lay in getting people to think beyond
electronic information, and consider the physical security of buildings and paper documents as well as electronic

7 ISO 27001 Global Survey

information. Another ISMS Manager stated that the key to implementing the standard lay in getting staff to think
of information security as an integral part of the daily business and not as an additional burden.

In total, 56% of the organisations identified cultural change as their main challenge.

Main Challenges to 27001

Maintaining the ISMS

Understanding the standard

Resources

Senior management buy-in

Cultural change within the organisation

0 10 20 30 40 50 60

Senior management buy-in was identified as a difficulty by 18% of respondents. It was often noted that information
security would have to compete for attention at the Board level. Most organisations reported that information
security was recognised as an important issue, but would often be side-lined as more pressing topics appeared
on the agenda.

Interestingly 8% of respondents noted that understanding the standard, and particularly the jargon used in
information security, was a major challenge when starting the certification process.

What is involved in getting certified?

Managers were asked how long it took to implement their information security management system and achieve
certification.

Most organisations (60%) reported that it took 12 months or less to implement the system, while a fifth of the
organisations reported that they had managed to achieve certification in less than six months. However, it is also
worth noting that every one of the organisations which achieved certification in less than six months had already
been certified to another management system standard (E.g. ISO 9001 - Quality Management System Standard,
or ISO 14001 - Environmental Management System Standard). Holding certification to another ISO standard is
clearly an advantage in cutting the lead-time for implementing 27001.

While the survey did not identify an upper limit to the implementation time-line, we found that 93% of organisations
had managed to achieve certification within two years of starting to implement the standard. The survey could
find no correlation between the timescale for implementation and the size of an organisation, nor did it appear to
vary based upon business sector.

8 ISO 27001 Global Survey

Costs
The cost of implementing the standard is obviously a topic of interest for anyone looking at ISO 27001, however
it is a particularly difficult question to try and answer. Respondents noted on many occasions that they found it
hard to attach a monetary value to the time and resources needed to implement the system. Certification Europe
tried to break-down the costs under a number of general headings:

Internal Resources
Responses varied, and most managers attempted to quantify the commitment in terms of man-power.

At the SME level resource commitments tended to be in the order of 3-4 staff working as a team on
a part-time basis for 6-12 months. The monetary value for this commitment was in the order of
Stg £3,000 - Stg £11,000, and in terms of man-days tended to equate to between 35-60 man-days.

When dealing with the larger organisations, internal commitments tended to involve one to two staff
members working full-time on the project, and typically ran for 12-18 months. Other staff members
may be pulled in to the team as required.

External resources (Consultants)

Just over half of the organisations (54%) used the services of external consultants. Fees varied
significantly depending upon the extent and duration of the service provided. In general consultancy
fees associated with implementation ranged from a low of Stg £3,000 to staggeringly high Stg
£65,000. Our findings suggest that the average fees per organisation was approximately Stg £22,000,
however, it is acknowledged that a few very large contracts may have skewed this figure towards the
higher end of the scale.

Consultant day-rate rates seem to average a fairly consistent Stg £1,000 / day. These figures show a
strong European bias, and it is acknowledged that fees in other regions will vary, however, insufficient
financial information was provided from other regions to allow a meaningful comparison.

New Technologies
It was notable that very few respondents indicated that new hardware or software was a significant
cost in implementing the standard. We feel that this finding substantiates the view that most proactive

9 ISO 27001 Global Survey

 organisations tend to have good technical security controls in place, and are now moving to address
the ‘soft’ security issues of people and policies through the implementation of the standard.

Certification
The cost of certification is naturally dependent upon the scope and size of the organisation. The range
in certification costs varied from approximately Stg £1,500 to Stg £16,000. There appeared to be no
significant variation in cost by sector.

The average certification fee was calculated at Stg. £4,800 and showed little variation between Europe,
North America and the Japanese markets. The survey suggests that certification fees of approximately
Stg. £1,500 to Stg. £2,500 tended to be the average in the Indian subcontinent, but again these
findings are based upon limited financial information.

KEY FINDING • 54% of organisations certified to ISO 27001 had used

external consultants to help them achieve the standard,
and on average they paid Stg £22,000 in consultancy
fees

Cross-certification
As well as looking at costs, we were also interested to find out if any of the organisations adopting ISO 27001 had
previously implemented other management system standards.

Somewhat unexpectedly we found that an overwhelming 88% of organisations were already certified to another
management system standard. Of the 12% that were not already certified, most (67%) expressed a clear intension
of seeking certification to another standard in the short to medium term.

We asked the organisation which standards they had already achieved, and which ones their organisation would
implement in the future. ISO 9001 is the most common standard in the certification field, and therefore it is
perhaps no surprise to learn that 80% of the organisations had already been certified to ISO 9001.

Prior to undertaking this research we had felt there were moves in the general market promoting the uptake of
ISO 20000-1 and linking it strongly with ISO 27001 as a compatible standard. We therefore had expected to see
a sizable percentage of the market intending to implement ISO 20000-1 in the future. The findings, however, do
not reflect this trend, with just 20% of organisations intending to implement the standard, a figure comparable to
other management system standards.

KEY FINDING • 88% of organisations certified to ISO 27001 are also

certified to other management system standards

10 ISO 27001 Global Survey

After certification...
We asked ISMS managers to reflect on their ISMS and determine what were the main benefits that ISO 27001 had
brought to their organisation. While the respondents differed in their individual comments, and number of clear
themes emerged, which we have sought to capture in the comments below:

Provided a formal approach to information security...

Raised the internal visibility of information security...

Raised the level of awareness of security and all its implications amongst staff...
Security is now part of the way we do business rather than being a bolt-on to the company...
It changed the culture of the organisation...

Confidence in knowing what you do is correct and to industry standard...

Validation that our systems are robust regarding information security...
Internal recognition that staff work to an international standard...
27001 has brought a much needed formality to something which was only given lip-service previously...

We now have a clear focus, and more importantly control, to risk management...
A significant reduction in business risk...
The standard has brought a greater understanding and control of risks...

Security is now considered at the outset of any new systems...

It increased customer confidence, allowing us to work closely with Government departments...

27001 opens a door to prospective clients in tenders...

Added to the confidence our clients have in our company with regard to information security...
It brought a tangible competitive advantage...
Improved our core service and has embedded security in a process of continuous improvement...

11 ISO 27001 Global Survey

Finally we asked respondents if they were to implement ISO 27001 again, was there anything that they would do
differently. The answers were surprisingly reassuring, in that they reflected many of the issues highlighted earlier
in this report.

Nearly a third of organisations reported that if they were they to repeat the process they would get more senior
management involved, and buying in to the process from its inception. Typically respondents noted that senior
management should be sent on ISMS awareness courses, and a PR campaign should start at the top so senior
management are aware of the benefits and the achievements of the ISMS. Linked to this issue, many of the
respondents also noted the need to get all staff involved from the start rather than trying to train them on the
system at the end of the process.

18% of respondents said they would seek more time or resources (man-power) if they were to repeat the
process, while approximately 16% noted that they would approach the risk assessment differently if they were
to implement ISO 27001 again. The research suggests that managers experienced problems in finding a user
friendly risk assessment methodology, or had to revisit the process a number of times before it met the needs of
the organisation.

A small, but nevertheless important minority at 7%, stated that they would not use consultants, or alternatively
reduce their reliance upon external resources if they were to implement the system again. These comments
reflect difficulties observed in other management system standards were poor consultancy support does not
result in the transfer or establishment of a knowledge base within the client organisation. The result is that when
the consultant finishes their project, management within the organisation lack ownership or understanding of the
new system.

Of the 314 respondents to this survey, only one organisation questioned the wisdom of implementing ISO 27001
and this was attributed to a lack of knowledge about the standard among the organisation’s client base.

Interestingly 27% of respondents said that they would not change any aspects of how they implemented the
standard and would be happy to repeat the same process again.

12 ISO 27001 Global Survey

Certification Europe
The Digital Hub
157 Thomas Street
Dublin 8
Ireland

Tel: +353 1 679 66 66

Fax: +353 1 679 3235
Email: info@certificationeurope.com
www.certificationeurope.com