Stuart King makes a good point about ISO 27001 providing the basis of public sector information security.The public sector oil tanker knows where it is heading but it is still very much in the process of making its turn.Being the public sector there may be deviations and hazards on route.
There is, in my opinion, very much a disconnect at present between talk at the policy maker level in government and actions at the local authority or county court house level. Platform speakers at the CIPCOG conference in York in February essentially confirmed a new age of information security focus had arrived.However, our data destruction sales team regularly finds that knowledge and demand at the purchasing coalface within the public sector is poor and way behind where the policy makers would have you believe it is.
This is partly caused by the fact that information security is not seen as an enabler by civil servants.New rules mean they can no longer put files onto their memory stick so they can work from home for example.Take-up of information security measures will be enforced rather than spontaneous or voluntary.
Likewise, take up in the private sector will be driven by government requirements placed on larger Tier 1 providers and there will be a trickle down effect in the private sector.Suppliers further down the food chain will eventually have to comply and implement information security themselves.If they do that presently, they will find it a real challenge due to the lack of straightforward and concise guidance available on ISO 27001.
I hope that this blog will play a part in filling that gap by making ISO 27001 more accessible and understandable.