Standards needed to boost security, Information Systems Security Association says

The government has an important role to play in improving information security, the UK chapter of the internationalInformation Systems Security Association (ISSA)has said.

The ISSA sees international security standards as key to ensuring the leadership of UK companies turn heightened security awareness into action.

Geoff Harris, ISSA-UK president, said legislation to enforce certification on information security standards such as ISO 27001 was essential to effect change.

"It is human nature to take shortcuts, and without someone checking they are doing what they should be, security will fall to pieces," said Harris.

He said although it was important to avoid placing UK companies under state controls that were too restrictive, the government was a good place to start in driving standards through legislation and its own procurement policies.

"Although legislation is key to enforcing security compliance, it requires careful judgement not to raise the bar too high, and government needs to consult with industry organisations to find the right balance between security and operability," he said.

Despite recent surveys indicating that security awareness and expenditure had improved in recent years, Harris said many organisations did not have the appropriate levels of controls in place, and where they existed they were not being enforced.

"If government builds information security certification into its procurement requirements, it will help filter that down the supply chain," he said.

According to Harris, fewer than 400 UK companies were certified on the ISO 27001 standard. "This should be in the thousands already because the standard contains all the recognised and proven security controls every organisation should have," he said.

Harris said he hoped that initiatives such the soon to be published security guide for company directors from the Information Security Awareness Forum (ISAF) will begin hit home at a board level in 2008.

"Within organisations people need to be managed and controlled to ensure they apply the technological and procedural controls that are in place, and this must be driven by the board through management to every individual in the organisation," he said.