South Africa has a mature history of implementing management systems for key areas, specifically Quality, Environment and Health & Safety. This focus was driven by the large multinational organizations and the historically strong South African Mining industry which either were compelled to by regulatory or contractual drivers or did so because it added business value.
Whenever the South African companies were in need of an international standards certification body, they relied on the South African Bureau of Standards, which is a local certification body located on the bottom of Africa. Until recently, companies were limited in choosing a certification body which would bring benefits in terms of costs, quality, and reliability. Many certification bodies have now established a local presence and this is having an impact in increasing the number of companies seeking certification across a range of standards.
Information Security for South Africa
The risks related to Information and Cyber Security over the last 5 years have increased significantly as attacks are now critically endangering the profitability and even survival of organizations across the world. These risks are compounded using cloud, mobility and the reliance on third parties. Improved security is vital for organizations and certification can be considered as an aspect of training and increased security.
2017 has been a massive year for South Africa with major corporate governance scandals and information security related incidents. Two massive data Leaks due to information security control failures have highlighted the risks. In May, an explosive leak of “State Capture” emails revealing the South African government’s collusion with external parties to conduct illegal activities was uncovered; these emails had been leaked by an internal employee. In October an unprotected file was discovered on the internet by an independent security consultant which contained more than 30 million personal details records and 2.2 million e-mails of South African citizens. In addition, global Cyber-attacks such as WannaCry and Petya have affected South African companies and further reinforced the need for Information Security management.
In the last 6 months, South Africa has also experienced significant corporate governance-related failures which have an adverse effect on the South African Stock exchange and overall economic outlook of the country and even destroyed a major international Public Relations company. This, combined with the government bribery issues has further put pressure on organizations to consider managing cybersecurity vigilance. Another main reason that the demand for the ISO 27001 Information Security Management Systems (ISMS) certification has been growing year by year is the changing of the regulatory requirements and pressure from external parties (i.e. clients and business partners) to implement controls around how organizations protect Information.
South Africa has a corporate governance standard, King IV™ which asks listed organizations to be transparent in the application of their corporate governance practices and this standard has a strong Information Technology component. In addition, the Protection of Personal Information Act (POPIA) mandates privacy and the related information security requirements which align well with ISO 27001.
A Survey of Management System Standard Certifications conducted in 2012 by ISO states that South Africa saw a significant increase (55%) in the number of ISO/IEC 27001 certifications between 2009 and 2012.
However, the number of companies certified was still very low (22 in 2012). Many companies, however, had been aligning security and IT controls to the standard and since 2012 the amount of certification projects has been steadily increasing. Many tender documents now include ISO/IEC 27001 compliance as a standard requirement for vendors dealing with information.
We have seen how most major local organizations have elevated the importance of cyber-related risks and are implementing cyber controls related projects considering certification projects which are aligned to the regulatory environment and their overall risk management strategy. In addition, the large organizations are prescribing assurance requirements onto the smaller companies they deal with and their suppliers which have a waterfall effect on compliance.
Information Security related certification has been steadily increasing and evidence suggests that this norm is likely to continue. We believe that ISMS Certification will become far more prevalent in South Africa as organizations operate globally and look for a consistent approach to all stakeholders involved.