Businesses are carrying out formal reviews to understand the impact of regulations such as Sarbanes-Oxley and Basel 2 on their IT systems, only to be faced with further regulations that require further reviews, said Ray Stanton, head of group security at BT.
"We need to see a drive from industry to force government to take leadership in an international context. If we are going to have regulations that affect businesses internationally, why not have co-ordinated programmes [that minimise the work]," he said.
There are cases where companies perform audits to assess the impact of one regulation, only to find another regulation comes along that requires another audit, said Jeremy Beale, head of e-business at the Confederation of British Industry. "We are looking at the possibility of getting some sort of coherence to information security audits. This is a discussion we are having with various groups," he said.
Paul Simmonds, global information security director at ICI, said his firm was having to deal with more than 20 pieces of legislation, from the Health Insurance Portability and Accountability Act in the US to the European Data Protection Directive and Canada's Privacy Act.