July 02, 2012, 5:40 PM — Back in 2005, a new series of ISO standards made an appearance on the international stage of certifications (try to suppress the image of large wads of paper assembled in a Broadway kick line). Organizations that were already complying with standards aimed at transparency in corporate governance were invited to step up to a new suite of standards all based on what is required to keep information assets safe.
The standard wasn't really new in 2005. It was first published in 1995 as BS 7799, later adopted by the International Organization for Standardization (ISO) and eventually published as part of the ISO 27000 series. You'll still find copies today with the designation "ISO/IEC 17799".
While ISO 27001 is an up and coming standard, it doesn't quite qualify as "popular" -- at least not on the ISO organization's home page which lists ISO 31000 (risk management), ISO 9000 (quality management) and several other standards under that heading. But the popularity of ISO 27001 depends very much on where you are. While there are only 104 certified organizations in the US, there are 4,061 in Japan, 549 in the UK, 545 in India, 504 in China, and 459 in Taiwan. Go, Japan! The numbers go down from there to a number of countries with a single certification. If you are reading this text well after I posted it, these numbers may well have changed. Check this link for up-to-date figures:
Who goes after ISO 27001 certification?
- Companies that want to show their customers that their information processing infrastructures or their data processing products are developed with keen attention to security. As an example, Google Apps for Business announced its certification in May.
- Organizations that want to minimize their security risks in a systematic, comprehensive way.
Sometimes entire companies will get themselves certified, but often one portion of a company -- a particular business unit or product line (e.g., Google Apps for Business) may be certified, especially for large complex organizations in which achieving overall certification would be an incredibly complex and consuming effort.
While most people refer to "ISO 27001", the suite of related standards includes 27000 through 27011.
ISO/IEC 27000:2009 (ISO 27000) ISMS Introduction & Vocabulary ISO/IEC 27001:2005 (ISO 27001) ISMS - Requirements (revised BS 7799 Part 2:2005) The specification for an information security management system (an ISMS).