It would be unusual for an IT services or software company to have no controls in place to manage information security. However, this is often because tech-savvy employees know how to configure their systems securely and not necessarily because there is a structured Information Security Management System (ISMS) in place. IT companies are often good at technology but not as good at structure, policy and management systems.
Many IT service providers introduce security controls in a haphazard way. Typically, ‘point solutions’ are introduced to provide specific solutions for specific problems. Others are introduced simply as a matter of convention. Such a random approach to security policy will only address some of the aspects of IT or data security, and can leave valuable non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. The ISO/IEC 27001 standard was introduced to address these issues.