is the online magazine of BSI Group, highlighting the vital role that standards play in today's business environment by helping organizations improve quality, save money, reduce risk and be more sustainable. Features include interviews with leading business figures, as well as news on the latest developments in management systems, standards, testing, healthcare and certification.
IT and your company: where we go next
09 Jul 2010
Topics: Information security, ISO/IEC 27001
Companies around the world are striving to emerge from the economic crisis into growth. It could well be the moment to get on board with the new technology landscape, but investing in any IT strategy involves steering past the pitfalls. Business standards, such as ISO/IEC 27001 Information security, can help you get the most out of your budget.
The exponential growth of electronic data is already a major issue. Worldwide data volumes are believed to be growing by as much as 100 per cent a year. To put that in context, more data was created by individuals in 2009 alone than in the whole of recorded human history up to 20081. This rate of growth shows no sign of slackening.
In parallel, electronic data storage technology is keeping pace with demand. Soon consumers will be able to purchase hand held devices capable of storing more video than can be watched in a lifetime. More importantly, we now have the ability to store, move and analyze extraordinarily large amounts of data.
However, with increasing volumes of data flow comes increased risk of information security breaches. Businesses can hold highly sensitive information about their clients and customers, which could be very damaging if it fell into the wrong hands. Similarly, businesses have plans, policies and potential client lists of their own to protect. But help is at hand. Working towards recognized business standards, including ISO/IEC 27002 Information technology and ISO/IEC 27001 Information security, can demonstrate to stakeholders and customers that data security is treated seriously.
There is opportunity for businesses to make smart use of the information in their marketplace. The challenge is to confront the growing urgency to find cost-efficient ways to handle information without compromising its security, availability, integrity or the law.
Shifting the model
Hand in glove with the rise of data volumes is the emergence of new IT models: specifically concepts such as shared services and cloud computing. In the future, even small businesses will not own and run IT capabilities in-house, but will buy in the IT services they need in something like the same way they now buy in electricity.
The implications for businesses are twofold. On the one hand it's about reducing costs and carbon: moving into remote IT provision saves on the energy, space, hardware and personnel which in-house data centres take up.
The flip side is that, conceptually at least, businesses are handing over direct control of their data to third parties - possibly even sending data beyond regulatory borders (they are increasingly doing that anyway through extended global supply chains). In either event it can raise information security and governance implications.
Tackling information governance
So far there is evidence that many businesses are overwhelmed by, rather than in control of, the rapidly proliferating data. Information security measures are not keeping pace with data volumes, potentially compromising business continuity.
For instance, the number, and cost of, information security breaches in 2010 in the UK is already up on the 2008 total according to PwC's latest information security survey - at an average cost among those surveyed of £485k.
The same research found that although businesses see information security as a high priority, they are still spending more on technology solutions than on control. As a consequence many organizations are in catch-up mode, and that includes addressing the need to provide assurance across the supply chain.
In response, says Breda Corish, head of ICT market development at BSI, businesses should have an information policy that is capable of adapting to their evolving requirements.
"For example", she says, "many organizations may have one that covers how staff access the internet but not how the organization portrays itself on social media." She adds, "It's clearly important to keep policies up to date."
ISO/IEC 27002 Information technology supplies guidance on current good practice in information security management and stresses that a policy should not only be fit for purpose across the whole organization, but be capable of responding to change.
Meanwhile its companion standard ISO/IEC 27001 Information security is a way for organizations to implement relevant information security controls which can then be internally or independently audited to demonstrate to customers and other stakeholders that appropriate good practice is being adhered to.
ISO/IEC 27001 is fast becoming the international benchmark for organizations which seek to demonstrate that they are taking information security seriously: 40 per cent of PwC's surveyed companies said their supply-chain customers had asked them to comply with it.
This was just the reason why the United Nations decided to implement the standard and seek independent ISO/IEC 27001 certification. Not only did the UN want to have the best approach to managing information security but they also wanted to demonstrate to the world that they were doing so. In addition, ISO/IEC 27001 helped the organization to create a logical and comprehensive inventory of policies, guidelines, documented controls in the information security domain, and related activities such as business continuity and disaster recovery. As Dino Cataldo Dell'Accio, ICT security officer said, "We're able to assess our preparedness in a very consistent and rapid manner, whereas, before that would have taken months of preparation."
And organizations don't just need to secure information, but also to manage it effectively, both for compliance and, as importantly, for reasons of operational efficiency and to maintain business continuity. A recent Harris Interactive survey of European information workers showed that respondents spent as much as 30 per cent of their week verifying the accuracy and quality of their data.
BSI ISO/IEC 15489 Information and documentation provides guidance on good practice in records management (from creation to disposal). While originally aimed at practitioners, it is currently being revised as a management system standard, part of the new BS ISO/IEC 30300. This shift is in response to senior managers recognizing that a robust records management policy can help them meet organizational objectives, especially with regard to improved customer service. After all, however well records are stored securely, they have little business value if they are out-of-date or cannot even be located.
This latter point also highlights the growing interest in "e-discovery", which is of special interest to organizations which may need to prove the authenticity of electronically-stored information in court. This challenge is addressed by BS 10008, which provides guidance on how data can be managed across its lifetime in order to preserve its legal admissibility and evidential weight.
Regulatory landscape
Nor has the changing information landscape escaped the notice of regulators who are realizing that legislation on how information is held and used needs to catch up if further catastrophic data mishandling events are to be prevented. The result according to David Fatscher, BSI's ICT sector content manager, is 'a heightened regulatory trigger finger'.
Fatscher notes that this applies globally. For instance the relevant EU Directives on privacy and data protection are currently under review and the US House of Representatives has been holding sessions about the security of cloud computing.
In the UK, the Information Commissioner's Office (ICO) already has new powers and regulators are able to conduct compulsory audits of public sector organizations. This may be extended to the private sector. The ICO is able to levy fines of up to £500k. This wouldn't trouble a major corporate financially but the reputational impact would be much worse.
For obvious reasons, the regulator's hand is likely to fall nowhere more heavily than on financial services where governance and compliance are high on the agenda. Information governance will be under increasing scrutiny.
A new British Standard is being developed which tackles how the financial services industry manages regulatory compliance issues. BS 8453 sets out a good practice framework for operating a compliance programme in regulated retail and wholesale financial firms.
Social media
A further dimension of new technology is the seemingly inexorable rise of social media, which only contributes to the data explosion.
Facebook, within four years of being widely available, now has around 400 million active users. Twitter currently has around 100 million active users. In the first quarter of 2010, 4 billion tweets were posted; that's 750 tweets sent every second. And it's only the tip of an iceberg of blogs, discussion boards, online communities and other social networks.
Such big numbers have inevitably caught the attention of businesses and other organizations, hence the stampede to develop a corporate presence on Facebook plus the plethora of blogs and Tweeting CEOs. This is happening for one central, compelling, and actually very established reason: people are much more prone to buy things which are recommended by someone they trust.
Recent research concluded that social networkers are three times more likely to trust peer opinions over advertising when making a purchasing decision. And 91 per cent of consumers surveyed said that online consumer content is the number one aid to a buying decision. In whatever form, purchasers make decisions based on what they see online.
As a consequence 'best in class' social media practitioners already far outperform average companies in many key respects: according to recent research they are 36 per cent more likely to retain customers than their industry average competitors, and 36 per cent better at predicting customer behaviour2. Businesses looking to pull out of the recession will ignore the opportunity to learn from and interact with customers at their peril.
Networking sites (such as Linked in) have also become established business tools for professional relationship management and subsequently the recruitment industry. Work has begun on a new British Standard (BS 8877) aimed at codifying best practice for organizations using online technology, including social media, to attract, select and recruit prospective candidates.
The rise of people power
Lastly, the growing ubiquity of technology is also producing a societal response. The final emerging dimension in the technology landscape is growing information awareness among consumer-citizens and politicians. Increasingly they want organizations to be more transparent, at the same time as they want personal data to be more secure.
On this note, perhaps the rise of Facebook (and its many clones) won't be so inexorable after all, as individuals wake up to the impact of Saturday night's party on Monday morning's job interview. Already, in May 2010 QuitFacebookDay.com was urging "addicts" to walk away from a pernicious habit, on the grounds that Facebook doesn't respect the privacy of its users.
It's possible that "Quit Facebook" could be a bellwether for how social media will develop in the next couple of years. The same consumer disquiet with how their privacy is being breached can be seen in the sometimes negative response to Google Street View (already banned on privacy grounds in Austria) and in the UK with a growing discomfort with CCTV - regulation on which is due to go through the current UK parliamentary session in a move to roll-back the 'surveillance state'.
Businesses looking to stay on the right side of consumer privacy concerns as well as their legal obligations under data protection legislation can use BS 10012 Data protection, which provides a framework for managing personal information in a responsible, confident and effective manner. The standard provides procedures for training and awareness, risk assessment and data sharing and disposal.
In common with other information governance standards, it offers a roadmap to help negotiate a fast-changing landscape successfully.
For information on ICT standards.
For information on ICT certification.
1 http://blogs.hbr.org/now-new-next/2009/05/the-social-data-revolution.html
2 http://www.slideshare.net/DigitalInfluence/business-impact-of-social-media
Business Standards © 2010. Editorial produced by Caspian Publishing in association with The British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
A little bit extra for Kitemark® bodyshops and garages
It's all well and good for an automotive bodyshop to earn the Thatcham BSI Kitemark® for Vehicle Body Repair, but it won't have as much impact if potential clients don't know about it. As a consequence, BSI decided to offer an Extras marketing toolkit to bodyshops and garages that have earned the Kitemark.
Monarch Airlines chooses BSI for its European Union Emission Trading System (EU ETS) verification
Monarch Airlines has selected BSI as its provider of verification services against the requirements of the EU ETS directive. This comes in response to the industry's requirement to monitor its CO2 emissions and demonstrate compliance with the directive by submitting a verified annual emissions report by 31 March every year from 2011 onwards.
Until now, there has been no strict guidance in the UK relating to how audiovisual (AV) installations are carried out. This includes everything from computers and projectors to interactive whiteboards, plasma screens and loud speakers. For AV installation companies, processes can vary significantly.
Gerda, a leading developer and manufacturer of products for the security industry, has become the first company to be awarded the Kitemark for thief-resistant lock assemblies, in line with BS 10621:2007 Thief resistant dual-mode lock assembly.
OCS, an international facilities services group based in the UK, has achieved triple certification to ISO 9001 Quality management, ISO 14001 Environmental management/ and BS OHSAS 18001 Health and safety management with BSI.
Question: Why is ISO 9001 still relevant?
This question has been raised before and at BSI, we make certain to ask the question as a matter of course. The forthcoming update to the standard - ISO 9001:2008 Quality management systems. Requirements - is the result of just such questioning.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
