Only 1% of software firms meet ISO standards in information security

March 15, 2013 | 02:36 pm GMT+7

Only 10 out of the 800 operational software firms have ISO/IEC 27001:2005 certificates on information security.

Illustration photo (Source: Internet)

The 10 software firms are the biggest ones in Vietnam, namely FPT Software, CMC Soft, Bkav and Tinh Van, while small and medium firms don’t think they need such a certificate.

Meanwhile, according to Nguyen Trong Duong, Director of the Information Technology Department of the Ministry of Information and Communication, since only some big enterprises can meet ISO 27001 standards, Vietnam has been considered as a country with information insecurity.

“Information security is now a burning issue in the world. Not only IT firms, but the businesses and institutions applying IT solutions also have to meet the standards like ISO 27001,” Duong said.

The certificates are especially important to IT firms which give consultancy to enterprises and help them build up the information security management systems for their own. However, to date, only banks, finance institutions and data centers have been applying ISO 27011.

The official statistics of ISO showed that only 14 Vietnamese enterprises meet ISO/IEC 27001 standards, including software firms, information technology companies and the businesses in other business fields.

As such, if counting software firms, only one percent of the operational companies meet ISO 27001 standards.

However, other sources in Vietnam have affirmed that 40 Vietnamese businesses and institutions have met the standards.

Explaining the big difference in the statistics shown by ISO and the Vietnamese sources, Dinh Mai Trang, Director of NetPro institute, said in Vietnam, there are many institutions which have the right to give consultancy and grant ISO certificates to enterprises. It happened that some enterprises got ISO certificates already, but their profiles have not been forwarded to ISO, therefore, their names have not been found in the ISO’s list.

Meanwhile, some enterprises have been weeded out of the list because they did not meet the standards in the next years after they received certificates (the certificates have the validity for three years, while enterprises have to go through new tests to get the certificates extended).

Vietnamese businesses don’t want to or cannot obtain certificates?

Duong said that Vietnamese businesses still hesitate to apply ISO 27001 mainly because of the lack of money. In order to do that, enterprises will have to spend big sums of money on different items, such as building up the procedures for applying ISO 27001, buying machines and equipments, or maintaining the information security management system.

Especially, enterprises have to do the thing which proves to be “impossible” for them: all the software programs of the enterprises must have licenses.

Once applying ISO 27001, all the workers in an enterprise will have to strictly follow the set procedures. Meanwhile, Vietnamese prefer working in a flexible way and they don’t want to follow any fixed procedure.

In fact, Vietnamese businesses find it difficult to apply ISO 27001, because it still lacks the high quality labor force in the field of information security. Trang said no Vietnamese has been recognized as the lead assessor for ISO standards. In general, the enterprises which plan to apply ISO 27001 have to hire foreign consultancy experts.

However, Duong said the situation would be improved as the Ministry of Information and Communication kicked off the training program on information security and ISO/IEC 27001:2005 standards for enterprises. It has also promised to prop up $20,000 at maximum to every enterprise which applies ISO 27001.