Many organizations are searching for a method to demonstrate the strength of their security practices to prospective customers and partners. Many are looking to standards like ISO 27001 and ISO 27002 as the basis for making their security practice statements.
The problem is that even with these international standards, there’s some debate as to what it means to comply and what compliance (and certification of compliance) actually says about the organization being certified.
Before attending a week-long course to certify me as an ISO 27001 Lead Auditor, I thought I understood the meaning and benefits of certification and expected to be a part of a sales drive for ISO 27001 certifications for our clients.
Now, having been through the training, and successfully passing the exam, I am not sure of the answer. I am still convinced that compliance with ISO 27002 is a great thing, and even more convinced that ISO 27001 is CRITICAL to using 27002 correctly. However, what I am not as convinced about is the value of the ISO 27001 certification. Having been a part of a number of what we call ISO 27002 Assessments as well as PCI-DSS On-Site Assessments, I know the value of ISO 27002 and how it can help companies. Further, having spent a week with ISO 27001, I believe that understanding it is critical to successfully implementing a long-term security strategy and implementation plan for any company (regardless of size). Its strength is that it focuses on and requires organizations to be competent in 4 security management areas that are often weak in most companies:
– Asset Identification and Valuation
– Risk Assessment and Acceptance Criteria
– Management Acceptance of these items
– Continual improvement of the security program
Being a consultant by trade and by desire, I’m not interested in playing the part of auditor with all the restrictions to the kinds of advice I can provide and lack of judgment I’m supposed exercise. I value helping my clients and providing valued input and recommendations. The audit process does not and cannot do this. It is there to gather facts and compare it to the standard. It is not there to make security better. So from my standpoint, of one who is qualified to do either an Audit or an Assessment, the Assessment is heads and shoulders more useful to an organization trying to achieve effective security.
That said, there is still a place for getting the ISO 27001 Certification: your customer demands it. If I had a customer who required the certification, and the profit I would gain from them (or future revenues) would outweigh the cost of the Audit, then I’d do it. Otherwise, I’d achieve compliance to the degree I thought practical and derive all the value I could from the assessment and associated consulting.
So my final thoughts on ISO 27001 Certification is: “Do it if you have to.” My thoughts on undergoing an ISO 27001 Assessment is: “Do it as a matter of good business.” While the two are not mutually exclusive, they are very different. If you need the certification for some reason, and you can justify the cost, then go for it, but I’d start with an Assessment. Just remember that if you have not done your work at the forefront, you are likely going to fail the Audit and eat a large portion of the costs. You will get no help from the Auditors as to what you need to do to improve, remember they are bound by rules not to provide even vaguely specific advice.