Standardisation of information security refers to introduction of procedures of protection and allocation of responsibilities in establishment of business recovery procedures. This means that protection of system in case of technical, environmental and management failure should be set as a routine task.
Guidelines for standardisation of information security should be aligned with the business strategy through effective implementation, procurement and integration of the system (Turban, McLean and Wetherbe, 2002). Standardized information security is a set of procedures consisting of hardware, software, lifeware, orgware, netware and dataware support.
Protection of information resources requires a sound security policy and set of controls. ISO/IEC 27001, an international set of standards for security and control, provides helpful guidelines. It specifies best practices in information systems security and control, including security policy, business continuity planning, physical security, access control, compliance, and creating a security function within the organisation. Reviewing european life
There are number of reasons for implementing an information security system that is capable of being independently certified as compliant with ISO/IEC 27001. A certificate tells existing and potential customers that the organisation has defined and put in place effective information security processes. This helps to create a trusting relationship.
Protection of information resources requires a well-designed set of controls. Computer systems are controlled by a combination of general controls and application controls, such as following (International Standard ISO/IEC 27001, 2005): security policy, organisation of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management and compliance.
Regarding the standardisation of information security, in the last few years there is an increasing number of certified organisations in the world, as it is illustrated in Figure 1. According to International Register if ISMS Certificates, 7940 organisation had ISO 27001 standard in July 2012 worldwide. Japan comes on first place with 4152 organisations. United Kingdom comes on the top in Europe with 573 organisations. Considering countries of Western Balkans there were 34 ISO/IEC 27001 certified organisations as following: 27 in Croatia, 2 in Bosnia and Herzegovina, 2 in FYR Macedonia and 3 in Albania, as it is illustrated in Table 1 (International Register if ISMS Certificates, 2012). Also in this region there is registered an increasing number of certified organisations, in period 2011 – 2012. Regardless of growth of certified organisations, it is noticeable that the information security in not adequate in countries of Western Balkans. In some countries there are no ISO/IEC 27001 certified organisations at all (Serbia, Montenegro and Kosovo under UNSCR 1244/99). Therefore, research of perception of management in banking and insurance companies is necessary in order to promote the process if systematic improvement of system of information security.
Figure 1: Number of ISO/IEC 27001 Certified Organisations in the World
Table 1: ISO/IEC 27001 Certified Organisations in Western Balkans
|Bosnia and Herzegovina||2||2||2|
|Kosovo under UNSCR 1244/99||0||0||0|
|Total Western Balkans||8||13||34|
|% Western Balkans in World||0.12||0.18||0.43|