In a world of increasing complexity, compliance and the need for clear and understandable Information Security ISO 27001 Certification is growing in popularity. In many cases service provider and supplier organisations will look to achieve certification of this standard to demonstrate their commitment to Information Security to customers (including potential customers) and business partners alike. More and more often contracts and tenders demand that suppliers are certified and this trend is on the increase. Indeed we have seen this in the past with spikes in the demand for ISO 9001 and ISO 14001 certification.
From my experience I have heard many people say things like “company X is certified therefore they must have good security” or “why would you want to ask more questions these people are ISO 27001 certified why challenge the certificate”. Are they right? What does an ISO 27001 certification really tell us?
The first point to make here is that ISO 27001 is a clear, well developed set of requirements for an Information Security Management System (ISMS) which, if implemented with the right level of thought and planning, can deliver real business value allowing an organisation to keep risks under control and providing an excellent foundation for efficient management of security risks going forward.
Often the standard can be misunderstood and much maligned by those who see implementation as bureaucratic or as something which requires unnecessary security controls. It is in fact possible to implement ISO 27001 in a manner which fits your organisation and its risk profile, by that the organisation should choose security controls that addresses the real risks it faces. ISO 27001 does not demand controls for the sake of control. What it requires is a set of processes to identify and assess risks and then to handle them proportionately. So if you hear anyone say “we need to implement this control to pass the audit” then something is clearly wrong.
So we know that ISO 27001 is focused on creating a framework for managing information security risks, the building blocks if you like that any organisation should have in place, and is not a long list of must have technical requirements. No-where does the standard demand a specific type of firewall or Intrusion Detection system for example.
That being the case let’s be clear about what an ISO 27001 certificate tells us about an organisation that is certified:
- It is clear that the organisation understands its security risk and has a framework to handle these risks
- The organisation appears to have the basic building blocks of people and processes to handle security risks to a certain level (a level specified by the organisation and not mentioned in the certificate)
- They have provided enough evidence of this during their last audit to achieve certification
So what can not be confirmed from ISO 27001 certification?
How “good” the organisations security is. A certification does not confirm the detail of the security processes, technologies and controls implemented by the organisation. For example two organisations can both be ISO 27001 certified and have very different levels of security controls in place. Does the organisation have the level of security control, we really need or expect? Perhaps more questions need to be asked. How well protected is the organisation from a technical perspective? An ISO 27001 certification audit will look at the processes in place such as how risk assessments are conducted, what policies are in place and how staff are educated on security matters but very rarely will such an audit actually test the technologies deployed. Hands on security testing of any form is not something specifically carried out in an ISO 27001 audit.
So if your organisation is passing its information to a third party to process or you are buying into a service which involves access to your information you should want some clear assurance on Information Security. If the provider is ISO 27001 certified (or you demand this of them). what should be asked beyond the tick in the box of a certificate?
1) What is the scope of the certification? An organisation can scope an ISMS to cover any set of processes, business areas or systems they wish. Does the scope cover the services you are buying into? For example if you are buying into a Cloud Services and the accounts department is ISO 27001 certified this is not going to be relevant. You can see a brief outline of the scope on the certificate but you may want a clearer description.
2) How does the service provider organisation calculate its risk and what is an acceptable level of risk? If the service provider organisation is quite open to risk and risk hungry, it may have accepted a lot of risks and can still be certified. Does this level of risk acceptance align to your organisation?
3) Who issued the certificate? This is a really important topic, so much so I will be writing a specific blog in this area. For the certificate to carry any credibility, it should have been issued by a certification body accredited by a national accreditation authority that is a member of the International Accreditation Forum http://www.iaf.nu//articles/IAF_MEMBERS_SIGNATORIES/4 in the UK this is UKAS, the US, ANAB, etc. If the body that awarded the certification is not accredited by one of these recognised international accreditation authorities, then in truth it lacks complete credibility. How do you know the audit was performed to valid standards? Always ask this question you will be surprised at how many unaccredited certifications exist.
4) What controls have the service provider organisation actually implemented, are they willing to share their Statement of Applicability (SOA) with you? The SOA lists all of the 114 controls from Annex A of the standard and states whether they are applicable or not. Does that list meet with your expectations or requirements? 4
Asking these few additional questions will really help you understand the value of the certification in question and should not take too much time or effort and will at least give you a feeling as to how assured you can be of the relevance of the service provider’s certification to your requirements.
To be clear and to summarize ISO 27001 is an excellent standard and independent certification provides a level of assurance and this blog does not attempt to underplay this important point. It is not however the be all and end all and you may need much more assurance (even when getting satisfactory answers to the four questions above) about the security levels that will be delivered by your service provider or supplier.
Graeme Parker is an experienced professional on Cyber Security, Risk Management and Governance fields with proven experience in implementing and developing effective management systems for these fields.
If you have any questions, please do not hesitate to contact Graeme at: firstname.lastname@example.org
For more information on ISO 27001 solutions and training, please see: