Thus it's no surprise that they lag behind in complying with the International Standards Organization's (ISO) 27001 security management standard passed in 2005. While Japan has a law requiring companies to become ISO 27001-certified, "It's just catching on in the U.S.," says Jim Reavis, president of Neupart, a vendor of ISO 27001-compliance tools (see company news, below).
ISO 27001, officially titled Information Security Management - Specification With Guidance for Use, provides a basis for third-party audits of an organization's security policies, procedures and technology. Based on the ISO 17799 best-practices standard, ISO 27001 stipulates a four-phase methodology, PDCA — Plan, Do, Check, Act — for deploying and continually improving an enterprise's internal security posture.
The U.S. has "the most laws for security and privacy but the most security breaches of any country in world," says DiMaria. He blames this on American companies' fragmented approach to security.
The ISO 27001's PDCA, conversely, mandates a consistent, iterative structure. It calls for enterprises to assess (Plan) their security risks and implement (Do) security procedures and policies, then measure (Check) the effectiveness and fine-tune (Act) the steps they've taken.
"A great majority, perhaps 80 percent, of American companies, have ISO 27001 compliance on their road map," he adds. Most are looking "three to four years" away, however, for compliance.
The Fortune 500 U.S. companies who have moved ahead have done so only in business units, not across the entire organization. Cisco and Verizon, he says, have announced ISO 27001 initiatives.
Compliance with ISO 27001 will be critical for American companies competing in global markets, particularly Asia, says Reavis. "They will have to show the same level of security in order to keep
the supply chain moving," he says.
— Jim Carr
