VietNamNet Bridge – Only 10 out of the 800 operational software firms have
ISO/IEC 27001:2005 certificates on information security.
The 10 software firms are the biggest ones in Vietnam, namely FPT Software, CMC
Soft, Bkav and Tinh Van, while small and medium firms don’t think they need such
a certificate.
Meanwhile, according to Nguyen Trong Duong, Director of the Information
Technology Department of the Ministry of Information and Communication, since
only some big enterprises can meet ISO 27001 standards, Vietnam has been
considered as a country with information insecurity.
“Information security is now a burning issue in the world. Not only IT firms,
but the businesses and institutions applying IT solutions also have to meet the
standards like ISO 27001,” Duong said.
The certificates are especially important to IT firms which give consultancy to
enterprises and help them build up the information security management systems
for their own. However, to date, only banks, finance institutions and data
centers have been applying ISO 27011.
The official statistics of ISO showed that only 14 Vietnamese enterprises meet
ISO/IEC 27001 standards, including software firms, information technology
companies and the businesses in other business fields.
As such, if counting software firms, only one percent of the operational
companies meet ISO 27001 standards.
However, other sources in Vietnam have affirmed that 40 Vietnamese businesses
and institutions have met the standards.
Explaining the big difference in the statistics shown by ISO and the Vietnamese
sources, Dinh Mai Trang, Director of NetPro institute, said in Vietnam, there
are many institutions which have the right to give consultancy and grant ISO
certificates to enterprises. It happened that some enterprises got ISO
certificates already, but their profiles have not been forwarded to ISO,
therefore, their names have not been found in the ISO’s list.
Meanwhile, some enterprises have been weeded out of the list because they did
not meet the standards in the next years after they received certificates (the
certificates have the validity for three years, while enterprises have to go
through new tests to get the certificates extended).
Vietnamese businesses don’t want to or cannot obtain certificates?
Duong said that Vietnamese businesses still hesitate to apply ISO 27001 mainly
because of the lack of money. In order to do that, enterprises will have to
spend big sums of money on different items, such as building up the procedures
for applying ISO 27001, buying machines and equipments, or maintaining the
information security management system.
Especially, enterprises have to do the thing which proves to be “impossible” for
them: all the software programs of the enterprises must have licenses.
Once applying ISO 27001, all the workers in an enterprise will have to strictly
follow the set procedures. Meanwhile, Vietnamese prefer working in a flexible
way and they don’t want to follow any fixed procedure.
In fact, Vietnamese businesses find it difficult to apply ISO 27001, because it
still lacks the high quality labor force in the field of information security.
Trang said no Vietnamese has been recognized as the lead assessor for ISO
standards. In general, the enterprises which plan to apply ISO 27001 have to
hire foreign consultancy experts.
However, Duong said the situation would be improved as the Ministry of
Information and Communication kicked off the training program on information
security and ISO/IEC 27001:2005 standards for enterprises. It has also promised
to prop up $20,000 at maximum to every enterprise which applies ISO 27001.
Buu Dien