Bill GoodwinOnly 37 UK organisations have been awarded a certificate for the
government-backed security standard, more than two years after the
certificates were introduced, Computer Weekly can
reveal.
The figure, disclosed by certification body the British
Standards Institute, raises questions about the value of the formal
security accreditation to IT departments.
The BS7799 standard was developed by the Department of Trade
& Industry to provide companies with a way of demonstrating to
customers and clients that they are taking information security
seriously.
The importance of IT security has been highlighted by the recent
spate of security breaches that have hit companies like Reed
Executive, Barclays Bank, and Egg.
BS7799, which has now become the information security standard
for government departments, sets out guidelines for information
security and policy, training, security breaches and computer
viruses.
Security experts said this week that, although companies are
applying BS7799 standards to their systems, many see little value
in paying for a formal BS7799 certificate.
Chris Sundt, an IT security consultant, said many organisations
see no business benefit in having a formal qualification.
"If your casual suppliers had a BS7799 certificate, it would
probably give you a warm feeling, but even then you are not going
to give them sensitive information," he said. "The people you have
a critical relationship with, you will have a contract with - and
you agree what the security policy is. If they have got BS7799 that
may make the process easier, but you are never going to rely on
that."
But moves by the International Standards Organisation to turn
BS7799 into an international standard could encourage more UK
companies to seek a BS7799 certificate.
"People go for ISO 9002 and 9001 because they are international
standards - that's clearly understood," said Richard Boothroyd,
chairman of the British Computer Society Security Committee.