New Study Shows 38 Percent of Information Security Processes are Immature

Share Article

The 2007 ISO 27001 Benchmark Study shows many organizations have gaps in their governance of information security.

Process Maturity Scorecard

One of the most significant findings from the study is that nearly half of the respondents rated their organization's approach to managing information security as 'initial' or 'non-existent'

New research from Wolcott Group (], "The 2007 ISO 27001 Benchmark Study," shows that many organizations have significant gaps in how they manage information security. While most organizations have mature or developing controls for information security, many still have immature processes for key issues like security policy training, access control, asset management, business continuity, IT compliance auditing, and more.

"One of the most significant findings from the study is that nearly half of the respondents rated their organization's approach to managing information security as 'initial' or 'non-existent'," stated Gary Sheehan, CISSP, HISP, managing consultant for information security at Wolcott Group. "Essentially, this study demonstrates the need for organizations to adopt a more holistic approach to managing information security like ISO 27001/27002."

Highlights of Immature Controls and Processes:

  • 57% have immature processes for classifying the value of their information assets
  • 56% have immature employee training programs on information security policies and procedures
  • 47% have an immature approach to managing information security
  • 45% have immature business continuity processes
  • 36% have immature IT compliance auditing processes

"The 2007 ISO 27001 Benchmark Study" was based on a 20-question self-assessment survey that explored the major aspects of how organizations govern information security as it is aligned with the ISO 27001 international standard and the ISO 27002 best practice framework. The study had 89 participants from a variety of industries, with 88% being in an IT management role, and 62% from organizations with over 1,000 employees.

Interested parties can visit Download The 2007 ISO 27001 Benchmark Study to register to download a complimentary copy of the benchmark study.

A related webinar
On February 27, 2008, Wolcott Group will host a webinar to expand on the study's findings as well as cover some best practices for managing information security using the ISO 27001/27002 framework. For more information and to register for the webinar, please visit Register for the ISO 27001 Webinar.

The related Online ISO 27001 Self-Assessment is still available
The online ISO 27001 self-assessment that was used to collect the data for the benchmark study is still open for use at Take the ISO 27001 Online Self-Assessment. The self-assessment enables organizations to benchmark their information security practices against the ISO 27001 standard and their peers.

About Wolcott Group
Wolcott Group is one of the top U.S. firms for standards-based, information security training, consulting, and technology solutions. Wolcott Group is a member of the IT Governance Institute, an authorized training center for the Holistic Information Security Practitioner (HISP) certification, and an authorized BSi Management Systems' Associate Consultant for training and consulting on ISO 27001/27002. Wolcott Group is an IBM Premier Business Partner, a Microsoft Gold Certified Partner, and also partners with other information security technology vendors to help its clients to improve their information security practices. For more information, please visit Wolcott Group's web site.

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Visit website