Only 37 UK organisations have been awarded a certificate for the government-backed security standard, more than two years after the certificates were introduced, Computer Weekly can reveal.
The figure, disclosed by certification body the British Standards Institute, raises questions about the value of the formal security accreditation to IT departments.
The BS7799 standard was developed by the Department of Trade & Industry to provide companies with a way of demonstrating to customers and clients that they are taking information security seriously.
The importance of IT security has been highlighted by the recent spate of security breaches that have hit companies like Reed Executive, Barclays Bank, and Egg.
BS7799, which has now become the information security standard for government departments, sets out guidelines for information security and policy, training, security breaches and computer viruses.
Security experts said this week that, although companies are applying BS7799 standards to their systems, many see little value in paying for a formal BS7799 certificate.
Chris Sundt, an IT security consultant, said many organisations see no business benefit in having a formal qualification.
"If your casual suppliers had a BS7799 certificate, it would probably give you a warm feeling, but even then you are not going to give them sensitive information," he said. "The people you have a critical relationship with, you will have a contract with - and you agree what the security policy is. If they have got BS7799 that may make the process easier, but you are never going to rely on that."
But moves by the International Standards Organisation to turn BS7799 into an international standard could encourage more UK companies to seek a BS7799 certificate.
"People go for ISO 9002 and 9001 because they are international standards - that's clearly understood," said Richard Boothroyd, chairman of the British Computer Society Security Committee.