New Zealand companies engaged in e-commerce will soon be able to show that their information security management systems are up to international standard.
Quality Assurance Services is the first organisation in Australia and New Zealand to apply to offer certification for the ISO/IEC 17799:2001 Information Technology Code of Practice for Information Security Management. It plans to offer certification for the new standard, which replaces the AS/NZS 4444 standard, before the end of the year or early next year.
Deloitte Consulting is also keen to provide the certification service and is talking to JASANZ (Joint Accreditation Service Australia New Zealand), the Australian government body that accredits certification providers.
Information security consultants suggest the ISO standard is being widely adopted in Europe and Asia.
Kirsty Shores of Axon Computertime, who was an information security consultant in the UK, says many British organisations are getting certified against the standard to demonstrate to customers how serious they are about security.
In Australia the ANZ Bank has implemented the standard even though it isn't yet certified and Telecom has deployed it in New Zealand.
Andrew Mason of BSA Consulting advises companies to get a copy of the standard and understand it. "It's designed to cover everything you might need to think about, so it's highly unlikely every organisation will do everything it says and it's not prescriptive."
Last week Deloitte and Standards New Zealand joined forces to run a series of seminars on the standard.
Deloitte partner Ian Perry, who heads the enterprise risk services division, sees the standard as an e-commerce enabler.
"The challenge management faces is deciding whether this is just another cost to have to comply with, but it's not about re-inventing a lot of stuff. Many organisations already have put in bits and pieces of the code of practice and this gives them something they can move towards to certify against. It shows that through an ISO process they have become certified to that level and maintained at that level.
"Typically they would assess where they are against the standard by doing a gap analysis," he says. "One of the new areas that the standard introduces is continuous assurance. When you're in a secure environment with interfaces out to the internet, any degree of change might mean you are no longer comply with the standard. This provides measures for an ongoing series of activities that ensure that you continue to comply."
Certification may also help for insurance purposes. This year US insurance companies The St Paul International Insurance Company and American Home Insurance Company started offering New Zealand organisations insurance policies specifically aimed at protecting against cyber-business interruption and e-commerce liabilities.
Insurance broker Ian Thompson of Willis New Zealand says to get such a policy a company has to show it has stringent security measures in place to protect its data and networks. He says certification to the new standard could go a long way to showing this. He says although the number of local companies taking out such policies is small, they usually do so because of contractual obligations.
ISO/IEC 17799 provides a framework of measures for developing and maintaining confidence in an organisation’s ability to manage its information security risk. It is divided into two parts. Part one is a guide and part two is the specification. The standard takes a risk management approach to ensure controls are implemented and includes a best practice description of the objectives, characteristics and factors to consider for 127 controls.
E-government unit policy manager Brendan Kelly says many government departments are familiar with the previous standard AS/NZS 4444 in developing their security policies and will start updating to the ISO standard over the coming months. However, he says it isn't current government policy that government agencies be certified against the ISO standard.
"All policies are subject to being updated and this will be updated to reflect the status of the new ISO standard. What ever other changes are made will be determined by the working groups of experts at the appropriate time."
He says the government treats this seriously, as people can see by visiting SIGD.