Professional Documents
Culture Documents
Foreword 2
Introduction 3
The Findings 4
Costs 9
Cross-certification 10
After certification... 11
Foreword
There has been tremendous growth in the number of organizations world-wide that have implemented and been
certified to ISO 27001.
As a certification body involved in assessing and certifying organization to the standard, we often wondered what
was really driving this growth, and what did those managers who actually implemented 27001 really think of it
once they had been certified.
Over the years we were frustrated at the lack of information on this topic. True, there were any number of surveys
on information security and market trends, but none of them approached the issue from the perspective of ISO
27001. So, in 2007 we gave up looking for the answers in trade journals and the internet, and undertook our
own research. To the best of my knowledge this is the first time anyone has undertaken a global survey on ISO
27001.
I feel that the findings contained in this report provide a real insight into the uptake of ISO 27001 over recent years,
and for the first time provides some hard facts and figures on a topic which was only guessed at previously.
I take real pride in the size of the survey, with 312 respondents from a broad range of sectors, it can claim to be
a truly authoritive sample of those organizations which have implemented ISO 27001 in recent years.
I would like to express my personal thanks to the hundreds of individuals who gave up a few minutes of their own
time to complete the questionnaire and record their experiences and opinions - without whom this survey would
simply not exist.
I hope that you find the survey of interest and use, and would always welcome any comments or feedback you
may have _ positive or negative to (feedback@certificationeurope.com). The first ISO 27001 Global survey sets
an important benchmark and establishes a factual basis for future comparison - and on that note I look forward
to introducing the Second Global survey in the near future.
Michael Brophy
CEO - Certification Europe - January 2008.
A major emphasis of this research was to provide an insight into the rapid growth of ISO 27001 and establish
base-line facts about the organizations which have been implementing the standard. We would hope that this
research will provide a clearer picture about why organizations have chosen to adopt ISO 27001, the challenges
they faced, and the benefits which they feel have accrued from this process.
• Information about the organizations which have adopted the standard and the individuals responsible for
managing information security,
• Information about why the organizations wanted to get certified to ISO 27001 and the challenges they
faced,
• Information about the maintenance of the system after certification and the perceived benefits (if any)
which have been realized.
The research was conducted over a four month period in 2007 and involved completion of a questionnaire
by individual ISMS Managers (or their equivalent) in organizations which had already achieved certification to
ISO 27001. In total some 312 organizations responded to the questionnaire with contributions received from
organizations in India, Ireland, Italy, Hong Kong, Japan, the UK, and the United States.
IT Services/Software Dev.
Telecommunication
Public Sector
Print Sector
Healthcare
Consultancy/Training
Pharmaceutical
Manufacturing
Financial Services
Construction
Legal
Other
0 5 10 15 20 25
The survey found that at 23% the ‘IT Services / software development’ sector is the primary adopter of ISO 27001
world-wide. This category incorporates a broad range of services including document management services,
outsourced IT managed services and software development, however, the lion’s share of organisations in this
sector (52%) are classed as IT security consultants.
The dominance if the IT security industry should be of little surprise as consultants seek certification to ISO 27001
as a means of demonstrating that they ‘practice what they preach’ and have the credentials and experience to
advise their client base.
The ‘Telco sector’ and ‘Public Sector’ both featured prominently with 14% of the market respectively. The Telco
Sector tended to be focused around the provision of secure hosting services and the operation of Data Centres,
while the Public Sector tended to have certifications which were limited to the IT / ICT department as a sub-set
within the larger organisation.
The ‘Print Sector’ accounts for 12% of the total market. However, it is worth noting that there was a strong
European weighting among respondents in this grouping, and specifically many of them would appear to have
been linked directly or indirectly to the UK payments industry (APACS). APACS has introduced a number of
initiatives to mandate the implementation of ISO 27001 within the security printing supply chain, and although
this issue was not specifically addressed within the research, it is possible that it has had a bearing on the uptake
of the standard in this sector.
Only 12% of organisations classified themselves as medium size ranging between 200 and 500 employees.
Size of Organisation
27%
38%
< 50 Employees
50 - 200
This finding appears to collaborate the comments made later in this survey that one of the key challenges to
implementing ISO 27001 is ensuring adequate resources are made available by senior management.
KEY
ding FINDING • Just 12% of organisations have a
full time ISMS Manager
In terms of the other 88% of ISMS managers, the survey found that they had to fulfil a range of responsibilities in
addition to their information security duties.
Compliance
Other
IT Manager
Project Manager
Facilities Manager
Quality Manager
% 0 5 10 15 20 25 30
Linking the role of IT Manager with that of the management of the ISMS may seem a natural fit, however, it does
raise questions of independence. As some respondent noted, when IT operational issues become pressurized,
short-cuts may be taken at the expense of security. Without a separate ISMS management role, such actions may
go unchecked and security becomes relegated to a ‘poor second’ against operational delivery.
Interestingly only 8% reported that their competitors had already been certified, suggesting that those seeking
competitive advantage were doing so on the basis of being first movers in the market.
Other
0 20 40 60 80 100
(%)
The survey found that over a quarter of the organisations had sought certification because it was a condition of
tenders, while in 16% of cases certification had been a mandatory requirement of a customer.
These figures reflect the increasing trend for organisations to push ISO 27001 down the supply chain, or look for the
standard as a condition of tender, particularly when key services are being outsourced. A number of respondents
noted that they had sought certification as a condition of tender when seeking to win business associated with
outsourced IT services (hosting, software development or networks and/or applications management).
Under the category of ‘Other’, a number of organisations had responded that certification was a means of being
granted access to restricted networks, such as Government VPNs, or in a few cases, it was a condition of being
granted remote access to client information.
The findings suggest that the single biggest challenge is in bringing about the cultural change within an organisation
that information security requires. As one respondent noted, the difficulty lay in getting people to think beyond
electronic information, and consider the physical security of buildings and paper documents as well as electronic
In total, 56% of the organisations identified cultural change as their main challenge.
Resources
0 10 20 30 40 50 60
Senior management buy-in was identified as a difficulty by 18% of respondents. It was often noted that information
security would have to compete for attention at the Board level. Most organisations reported that information
security was recognised as an important issue, but would often be side-lined as more pressing topics appeared
on the agenda.
Interestingly 8% of respondents noted that understanding the standard, and particularly the jargon used in
information security, was a major challenge when starting the certification process.
Most organisations (60%) reported that it took 12 months or less to implement the system, while a fifth of the
organisations reported that they had managed to achieve certification in less than six months. However, it is also
worth noting that every one of the organisations which achieved certification in less than six months had already
been certified to another management system standard (E.g. ISO 9001 - Quality Management System Standard,
or ISO 14001 - Environmental Management System Standard). Holding certification to another ISO standard is
clearly an advantage in cutting the lead-time for implementing 27001.
While the survey did not identify an upper limit to the implementation time-line, we found that 93% of organisations
had managed to achieve certification within two years of starting to implement the standard. The survey could
find no correlation between the timescale for implementation and the size of an organisation, nor did it appear to
vary based upon business sector.
Internal Resources
Responses varied, and most managers attempted to quantify the commitment in terms of man-power.
At the SME level resource commitments tended to be in the order of 3-4 staff working as a team on
a part-time basis for 6-12 months. The monetary value for this commitment was in the order of
Stg £3,000 - Stg £11,000, and in terms of man-days tended to equate to between 35-60 man-days.
When dealing with the larger organisations, internal commitments tended to involve one to two staff
members working full-time on the project, and typically ran for 12-18 months. Other staff members
may be pulled in to the team as required.
Consultant day-rate rates seem to average a fairly consistent Stg £1,000 / day. These figures show a
strong European bias, and it is acknowledged that fees in other regions will vary, however, insufficient
financial information was provided from other regions to allow a meaningful comparison.
New Technologies
It was notable that very few respondents indicated that new hardware or software was a significant
cost in implementing the standard. We feel that this finding substantiates the view that most proactive
Certification
The cost of certification is naturally dependent upon the scope and size of the organisation. The range
in certification costs varied from approximately Stg £1,500 to Stg £16,000. There appeared to be no
significant variation in cost by sector.
The average certification fee was calculated at Stg. £4,800 and showed little variation between Europe,
North America and the Japanese markets. The survey suggests that certification fees of approximately
Stg. £1,500 to Stg. £2,500 tended to be the average in the Indian subcontinent, but again these
findings are based upon limited financial information.
Cross-certification
As well as looking at costs, we were also interested to find out if any of the organisations adopting ISO 27001 had
previously implemented other management system standards.
Somewhat unexpectedly we found that an overwhelming 88% of organisations were already certified to another
management system standard. Of the 12% that were not already certified, most (67%) expressed a clear intension
of seeking certification to another standard in the short to medium term.
We asked the organisation which standards they had already achieved, and which ones their organisation would
implement in the future. ISO 9001 is the most common standard in the certification field, and therefore it is
perhaps no surprise to learn that 80% of the organisations had already been certified to ISO 9001.
Prior to undertaking this research we had felt there were moves in the general market promoting the uptake of
ISO 20000-1 and linking it strongly with ISO 27001 as a compatible standard. We therefore had expected to see
a sizable percentage of the market intending to implement ISO 20000-1 in the future. The findings, however, do
not reflect this trend, with just 20% of organisations intending to implement the standard, a figure comparable to
other management system standards.
Raised the level of awareness of security and all its implications amongst staff...
Security is now part of the way we do business rather than being a bolt-on to the company...
It changed the culture of the organisation...
We now have a clear focus, and more importantly control, to risk management...
A significant reduction in business risk...
The standard has brought a greater understanding and control of risks...
Added to the confidence our clients have in our company with regard to information security...
It brought a tangible competitive advantage...
Improved our core service and has embedded security in a process of continuous improvement...
Nearly a third of organisations reported that if they were they to repeat the process they would get more senior
management involved, and buying in to the process from its inception. Typically respondents noted that senior
management should be sent on ISMS awareness courses, and a PR campaign should start at the top so senior
management are aware of the benefits and the achievements of the ISMS. Linked to this issue, many of the
respondents also noted the need to get all staff involved from the start rather than trying to train them on the
system at the end of the process.
18% of respondents said they would seek more time or resources (man-power) if they were to repeat the
process, while approximately 16% noted that they would approach the risk assessment differently if they were
to implement ISO 27001 again. The research suggests that managers experienced problems in finding a user
friendly risk assessment methodology, or had to revisit the process a number of times before it met the needs of
the organisation.
A small, but nevertheless important minority at 7%, stated that they would not use consultants, or alternatively
reduce their reliance upon external resources if they were to implement the system again. These comments
reflect difficulties observed in other management system standards were poor consultancy support does not
result in the transfer or establishment of a knowledge base within the client organisation. The result is that when
the consultant finishes their project, management within the organisation lack ownership or understanding of the
new system.
Of the 314 respondents to this survey, only one organisation questioned the wisdom of implementing ISO 27001
and this was attributed to a lack of knowledge about the standard among the organisation’s client base.
Interestingly 27% of respondents said that they would not change any aspects of how they implemented the
standard and would be happy to repeat the same process again.