'

UK cold on mandatory security audits

Government and businesses agree that British companies should not be forced to conduct an audit of their IT security each year

Companies, politicians and analysts are united in their belief that the introduction of compulsory IT security audits in the UK would not be a welcome development.

There is little support for a British version of the Corporate Information Security Accountability Act -- a piece of legislation under scrutiny in America that would force publicly traded US corporations to certify that they have conducted a computer security audit each year.

The UK government says that it is concentrating its efforts on protecting the nation's critical national infrastructure -- telecoms, water, energy and public services -- and that other companies must take responsibility for their own IT security. But Jeremy Beale, head of e-business at the Confederation of British Industry (CBI), believes that the vast majority of medium-sized and small businesses don't have the in-house technical expertise to make themselves secure and to engage with suppliers. "These small firms will be part of a supply chain with larger companies, and the security and robustness of a supply chain is only as strong as its weakest link," Beale told ZDNet UK. Despite this knock-on effect, the CBI says it doesn't support the introduction of compulsory IT audits because suitable standards aren't yet in place.

And many other experts claim that making firms vouch for the security of their networks and systems annually would actually encourage them to neglect the issue for the rest of the year.

Click here to read the full special report on ZDNet UK Insight.