The Hindu Business Line : IT, BPO firms rush for ISO-27001 certification

High Security
At present, very few IT and BPO firms in India are ISO-27001 compliant.
Companies are increasingly going in for ISO-27001 certification to retain their customer confidence.
ISO-27001 is awarded for effective e-security and physical security measures.

Bangalore, Aug. 16

In a bid to better manage risks relating to information security apart from seeking to retain their customer confidence, IT and BPO firms are seen rushing to get ISO-27001 certification. The IS0-27001 is the highest certification standard available from the International Standards Organisation and is adopted from the BS 7799 standards of the British Standards Institute (BSI).

ISO-27001 is awarded for effective e-security and physical security measures. By going in for this certification, an organisation can receive an independent assessment of their Information Security Management System (ISMS).

At present, very few IT and BPO firms in India are ISO-27001 compliant. Those certified include Satyam Computers, Keane India, Accenture, Cranes Software, Aztecsoft, Microland and PSI Data Systems among others.

Mr Sivaram Sivasubramanian, programme manager, ICT Management Systems at SAI Global Ltd, an Australian security auditor, said IT and BPO companies are increasingly going in for ISO-27001 certification not only to retain their customer confidence, but also to satisfy the internal customer confidence.

Overseas customers before outsourcing their critical functions to destinations like India are looking at the credibility of the vendors in terms of protecting their intellectual property and maintaining data privacy among others. A certification like ISO-27001 would help vendors to instil confidence among the clients, Mr Sivaram said.

Win Confidence

ISO-27001 addresses the security requirements of over 130 controls, of which about 4-5 are mandatory while the remaining are optional. The ISO 27001 outlines the rules for defining, establishing, implementing, operating, reviewing, monitoring and improving a documented ISMS within the context of an organisation's overall business risks. The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets of clients.

Compliance needs

The ISO-27001 certification helps companies to comply with multiple legislations and regulations such as HIPAA, SOX, Safe Harbour Practice among others. It also helps companies to win confidence internally especially among employees, who are now wanting employers to maintain secrecy over their personal data, he said.

"Information security requires robust risk management, a comprehensive awareness program and structured BCP (Business Continuity Plan) in place," said Mr Sukant Srivastava, Managing Director, Keane India. "Being one of the first five companies to achieve the ISO 27001 certification for information security, Keane's Information security needs are primarily driven by unique requirements of its customers for safeguarding their data," he said.

"Besides, Keane is equally sensitive on the end user implications, which not only add an extra level of trust with clients but also helps in safeguarding the interests of consumers/customers who finally use the applications," Mr Srivastava added.