Standards exist to provide reassurance when buying products and services. For example the Kitemark standard, owned awarded by the British Standards Institute (BSI), provides reassurance about the quality and safety of a wide range of products and services.

Attaining a Kitemark often requires that another more specific standard has already been reached. If you crash your car and take it to a repair shop displaying the Kitemark logo, the service provider is required to have achieved the technical specification PAS-125 (another BSI standard). On the BSI web site, it says that "repairers will be able to secure their future business by being able to independently prove to insurers and the motorist that their vehicle body repair service meets all the required safety criteria of PAS 125 and the Kitemark scheme".

The "all" is emphasised here because not all standards require that all their criteria are met. The ISO27001 IT security standard (specified by the American National Standards Institute—ANSI) provides reassurance about the security controls in place for IT deployments. In Quocirca's freely available report, Managed Hosting in Europe, published in June 2009 and sponsored by NTT Europe Online, the status of ISO27001 compliance was listed as a measure of the reassurance around the security of services on offer. For some vendors it was reported as being "in progress".

It may surprise some that "in progress" is a valid status for any organisation claiming it is ISO27001 compliant. The standard itself provides guidelines on deploying an Information Security Management System, or ISMS, and states in section 1.1 (April 2006 publication) that the ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. In short, the security controls specified in ISO27001 are optional, dependent on the needs of the supplier and its customers.

Quocirca is not suggesting any shortfall in those controls but merely reminding buyers of ISO27001 compliant services of the precise question they must ask. It is not "is your service ISO27001 compliant?", but "have you adopted ISO27001 and, if yes, which controls have you adopted and which ones have you not?"

This is the likely explanation for the finding in a recent survey into privileged users, carried out by Quocirca and sponsored by CA, that many organisations which claim ISO27001 compliance do not carry out the good practices with regards to privileged user management that are described in the standard.

Interestingly, the BSI also offers advice on its web site with regard to ISO27001; here it says "once the assessment has been successfully completed, we'll issue a certificate of registration, clearly explaining the scope of your certification"—no sign of the word "all" there, and buyers should assess vendors the scope accordingly.