Friday, May 16, 2008

Why Is ISO2700x Hot in UK, but Not in US?

First, something hilarious: I was teaching this brief course on logs overseas and touched upon  a  subject of ISO17799. So, having recently read how many companies in the US were ISO17799 certified, I asked my audience whether they could guess what the number was. One guy volunteered an answer, after some hesitation: "Less then 50%?"

That's "percent", folks :-)

I said to him: "You are right!" and laughed - "It is indeed less then 50!" 50 as in "count" (I read somewhere at the time that 49 companies were certified US-wide)

So, ISO17799 is hot in some countries: UK, Japan, Russia (where it is a basis for a set national standards), many others. But not in the US.

I have long been puzzled about this. What's the story?

The most likely explanation is that every security manager worth his salt read ISO17799 documents and then used the ideas and material in his own policies, procedures, etc. On the other hand, he sees no motivation whatsoever to invest in certification - since nobody is making him do it (no equivalent of a PCI auditor is standing nearby with a big axe...)

Another explanation that due to longer history of security management in the US (compared to other countries), home-grown approaches took root and no external standard will dislodge them?

Yet another hypothesis goes like this: in the US, it is more important to do a good job [managing security] than to be "standards-compliant." Is the opposite true in Europe and Asia? I dunno...

Or maybe ISO stuff is seen as "that Euro thing?" Exotic like a Hungarian chick, but just as relevant :-)

Any ideas? UK scene, any ideas? Do you care for ISO17799 at all? As a useful document to read or a something to be certified in?


Anonymous said...


This is something that has also puzzled me. Why so little take up in ISO 27001, and its predecessor, BS 7799 in the US? I don't think it is a Euro versus US thing as the take up in Ireland is also quite low, only 19 companies certified at my last count.

I think one major reason for the lack of take up was the confusion many people felt while waiting for the transition from BS 7799 to ISO 27001. Also the widespread use of COBIT for SOX compliance impacted on the uptake of BS 7799/ISO 27001.

I also believe another reason for the slow take up has been the focus on other compliance requirements such as SOX, Basil II and now PCI DSS. These are all being treated as separate compliance projects and as an industry we could very easily end up on the compliance treadmill. Once the dust has settled on PCI DSS compliance will there be another standard driving the business to look towards IT/Information security to "get it sorted"?

I firmly believe that companies who get certification against ISO 27001 implement a very strong foundation upon which to build other compliance projects against. So rather than run a compliance program against each standard, we can use ISO 27001 to be our "code base" and simply add in the new "compliance modules" as required. I wrote an article for "Knowledge Ireland" magazine on this subject and a copy can be got at my website at

I am now seeing an increasing interest in ISO 27001, both from clients here in Ireland and abroad looking to certify against the standard, and also coverage in industry media on both sides of the Atlantic. So I predict that we will see a bigger uptake over the coming year or so, especially as compliance exhaustion starts to hit people.


P.S. Just for clarification ISO 17799 is a code of practise for information security and is now ISO 27002. Certification is against ISO 27001 and not ISO 27002. So ISO 17799/ISO 27002 can be used as a checklist of best practises to implement but if you are going for certification against the ISO 27001 standard you should ensure the controls you choose from ISO 27002 are based on a comprehensive risk assessment that is in line with the organisation's business requirements and appetite for risk.

Anonymous said...

Chris: Since I have been on both sides of FISMA (operations and auditor) for a few years now, a lot of them being outsourced systems. I can say that US companies are interested in "minimum compliance". To which I reply: "so your wife was only a little bit pregnant then?" Let me start with the following: Not Invented Here - The security managers I run into take the parts that they can comply with and work hard on those. Leaving the others out. The problem being that hundreds of people have spent thousands of hours coming up with control catalogs to be applied anywhere. Most of the time they don't put in useless controls. Extreme or paranoid sometimes, but generally a good idea. Lack of Funding - Security is like plumbing, it only gets noticed when something goes wrong. The heat is on for the week or two of incident response work. After that, management is on to new fires. Most places consider this a workable plan since the cost of an ongoing program outweighs the two weeks out of the year where everyone is panicked. No Perceptible Benefits - Being ISO 2700X certified holds no weight here. Like you said above, the governments have adopted it and then the businesses wanted to remain competitive so they adopted it. Again, the US decided to create their own and not just one. 8500.2, DCID 6/3 and 800-53. Only now are they beginning to converge. Laziness - Which is really the bottom line. It is a lot of work to gain a certified status and then maintain it. Especially on the level that some agencies require. Without buy in from customers and industry, there is not benefit to be certified. In short, it is a new thing and the people I know are not early adopters. Given time and acceptance I think it will catch on. Especially when cross references between the standards become more mature and the value of compliance with a good information assurance program is realized

Anton Chuvakin said...

Wow, thanks for the insight! I think that "minimum compliance" argument is sadly the strongest... More on that on Monday :-)

Dr Anton Chuvakin