50 % of ISO 27001 Companies don’t care about Security Rules

October 23, 2009

Almost half of businesses that claim compliance with ISO 27001 are sharing privileged user accounts and breaking other standard guidance.

Some fiagures:

Some 47% of firms in the UK said they were compliant with the standard. But 41% of these said that they were using various non-compliant practices.

Bad Practices:

  • Included use of
  • Default user names and passwords,
  • The granting of wider access than is necessary,
  • Failure to monitor the users, and
  • An ignorance around the existence of privileged users in the first place.

Who all were surveyed?

270 – European IT managers (including 45 in the UK)
Survey Conducted by – Quocirca

29% of firms in the UK rely on manual control of privileged users, who include system administrators, application service users, and privileged personal users.

Only a quarter have implemented privileged user management software, which aims to help businesses enforce and track policy. Around 20 percent plan to implement the software.

UK firms saw privileged users as a medium threat, rating them on average at 2.5 on a scale of one to five, where one meant no threat and five represented a very serious threat.


  1. http://whitesock.net/index2.php?option=com_content&do_pdf=1&id=24877
  2. http://www.networkworld.com/news/2009/102209-almost-half-iso-27001-compliant.html?hpg1=bn