ISO27001 certification

Soon after my earlier post "The perils of vendor questionnaires", I started updating BIW’s website in connection with the issue of compliance with international standards (I link the two items as standards compliance frequently features in vendor questionnaires).

Updates were necessary as British Standard BS7799 Part 2 was superceded last October by a new global information security standard, ISO/IEC27001, and on 10 January 2006 Attenda, the managed service provider used by BIW to host all user interactions with BIW Information Channel, was one of the first IT companies in the world to be certified by the British Standards Institution as achieving that standard (see BIW press release). As far as I know, that makes BIW Information Channel the first (and so far only) web-based construction collaboration technology to be hosted on a ISO/IEC27001-compliant system.

Cadweb used to make a big thing about its compliance with IS0/IEC17799, and it still makes the erroneous claim that "Cadweb is the only e-project management system that fully complies with ISO/IEC 17799." This is wrong on three counts:

1. Strictly speaking, Cadweb should have talked about BS7799 Part 2, as this formed the specification against which BSI could assess compliance – there is no certification in respect of ISO/IEC17799.
2. The standards covers security of information assets, and are applied broadly to digital information, paper documents, physical locations and supporting assets (computers, networks and media) and the management of employees. They do not relate to particular software applications, so it would be wrong for Cadweb (or anyone else) to believe that their application was compliant with BS7799, ISO/IEC17799 or ISO/IEC27001 – which is probably why Cadweb use the more vague "system".
3. Finally, Cadweb’s claim to be "the only" standard-compliant e-project management system is wrong. As long ago as 22 March 2002, BIW pointed out to Cadweb, and the readers of professional journal New Civil Engineer, that the Attenda infrastructure hosting BIW Information Channel had also been assessed by the BSI as compliant.