The latest ISO Survey gives the certification figures for 2018 on ISO's management systems standards.
Yes, evidently it takes that long to compile and publish the data.
No, I don't know why it is so slow, except that it involves gathering information from busy certification bodies dotted around the globe. By donkey, maybe.
Anyway, here are some of the stats:
So, by now there are probably more than 32,000 ISO/IEC 27001:2013 certified organizations globally, each cert covering two physical sites on average. A further unknown number are currently in the process of being certified, or have chosen to adopt the standards without being certified compliant.
Compared to ISO9k (quality management) and ISO14k (environmental management), ISO27k (information risk & security management) is way behind, meaning a lot of growth potential - more than 27 times the current uptake to match ISO9k.
Yes, I'm an optimist.
ISO's other management system standards are: ISO22k (food safety), ISO45k (health & safety), ISO13k485 (medical devices), ISO50k (energy), ISO22k3 (business continuity), ISO28k (supply chain security), ISO39k (road traffic safety) and ISO37k (anti-bribery)*.
ISO27k has been most successful in China+Taiwan, Japan and the UK with more than 8k, 5k and 2k certified organizations respectively. India, Germany and Italy are all above 1k with the USA finally catching up the developed world. Meanwhile, New Zealand had just 17 certified organizations by the end of 2018.
So, I'll continue plugging away, doing my best to promote ISO27k.
*For reasons I perhaps ought to explore some day, ISO31k (risk) is classed as a guideline rather than a certifiable management system standard. Odd that, given that most of the ISO management systems concern some form of risk management. Security and safety are clearly amenable to the management system approach, so why not risk?