Results from a survey of IT managers in FTSE 500 companies, published last week by IT consultancy Idetica, reveal that, although 91% of firms have invested in, or are planning to invest in online security technologies, only 34% are aware of the BS7799 Code of Practice for Information Security Management.
Of the companies surveyed, only one in 10 said it was already accredited with the standard, and just 16% had any plans to adopt BS7799.
First published in 1995, BS7799 specifies best practice approaches to the policy and procedural aspects of IT security but since its inception, fewer than 40 UK companies have obtained the certificate.
Users have criticised the accreditation process as being both costly and time consuming.
Although nearly all the respondents - 87% - acknowledged the importance of backing up security technologies with sound procedures and followed formal security business processes, relatively few could specify what their processes included.
Martin Sutherland, head of consulting at Idetica, said, "When people talk about security, they think of firewalls and virus protection, which are point solutions. They don't seem to have an overall picture of a complete security practice."
One of the reasons why so few companies were willing to adopt the standard was that they didn't see the business benefits of becoming accredited, Sutherland added. But the benefits of the standard far outweighed the costs in the long run, comparing BS7799 to an insurance policy, he said.