On Page 33 of the Cyber Security Breaches Survey 2016 is a telling paragraph;
Implementation of the international standard for Information Security Management, ISO 27001, is also relatively uncommon. Among those who are aware of this standard, a quarter (26%) have implemented it and a further quarter (24%) are intending to do so in the future. This is consistent across size bands. Across all businesses (i.e. not just those who are aware of the standard), this equates to five per cent having implemented ISO 27001 and four per cent intending to do so.
Information Security – More Talk than Action?
So, only 5% of organisations have implemented ISO 27001 and only 4% more are intending to do so. Says it all really. And suggests that those of us who care about Information Security have a lot of work to do to convince people this is the way to go.
When it comes to this UK Government Scheme, the results are if anything worse;
Reflecting the relatively low awareness at present of the Cyber Essentials scheme, only two per cent of all businesses recognise having implemented the Cyber Essentials standard across their business. A higher proportion (10%) of large organisations recognise that they have implemented the standard, although the scheme is relevant for businesses of all sizes. Information, communications or utility firms are also somewhat more likely to recognise having adopted this standard (8%, versus 2% overall).
And, whilst Cyber Essentials is certainly of value, it only focuses on part of the information security challenge.