ISO 27001 certification doesn't guarantee security
A lot of people think an ISO 27001 certified service is completely secure. In my opinion, that’s not entirely true. I’m not trying to criticize this way of thinking, though, because I understand it can be difficult to grasp the idea behind this certification.
Below I’ve laid out some explanations and analysis with a few examples to help you see what this certification actually means and what myths are not to be believed.
a security management system
The goal of an ISO 27001 standard is to put in place an information security management system (ISMS). Mainly, you should remember that it involves specifying and implementing a system (people and processes) that manages information system security.
The security system should primarily maintain security controls (whether technical or organizational) and update or improve them over time.
say what you do and do what you say
ISO 27001 requires organizations to specify how they will manage information security. This implies a considerable amount of communication that organizations often gloss over due to cost issues and higher priorities.
Basically, organizations must put a control in place for any given procedure (or process). They have to do what they say and say what they do. If a certain process no longer works or is just plain wrong, organizations can (and must) update it and set up a control for the new process. Here we use the wonderful Deming wheel (PDCA – Plan, Do, Check, and Act), which guides all underlying models of ISO 27001 certification.
This means that ISO 27001 certification does not guarantee control efficiency, but instead ensures implementation conformity to pre-defined specifications.
no processes, no verification
Problems arise when organizations don’t specify a process for a given action. This will surely go unnoticed by auditors, because they only make sure that administrators follow processes already in place.
Example: if a process exists for the security impact analysis of any change (RFC – Request For Change) subject to the Change Advisory Board (CAB), then any change made with no official RFC will come in under the radar (for RFC and CAB, see ITIL processes).
As long as this “unofficial” change does not cause a security incident (managed by a specified and monitored process), it will go unnoticed. However, if the post-mortem incident report locates the “off-the-books” change, then administrators will correct it. This is the PDCA model’s good side.
security incidents welcome
Let me reiterate: a process is a process, and it must be followed. It’s not a problem if security incidents arise. However, management of these incidents should follow processes.
Some of you are probably thinking "oh really?” Yes. And I assure you, this system is much better than that of some companies or organizations where no incident management process exists.
the “black hole” between annual audits
To achieve ISO 27001 certification, an initial audit must be performed. Once that’s been done, annual control audits ensure correct system function.
Typically, there’s a mad dash six months before the audit date to troubleshoot and show the auditor that the system works (meaning that administrators monitor processes and launch/continue the upgrade plan).
Between two audits, a lot of things can happen—some great, some not. It all depends on the commitment, expertise, and professionalism of the ISMS teams in charge.
is ISO 27001 completely worthless?
No. Obviously, ISO 27001 is a good standard. A certified information system that complies with this standard relatively guarantees its structured and organized security management over the long term.
Moreover, a system certified each year for several years (about four or five) will certainly be more developed than a system that just received its first certification.
Whatever the situation, it’s important to understand the certification’s full scope (or reach), so as not to be taken in by overzealous believers in ISO 20071.
what else is in the works to take things a bit further?
As for cloud computing, the “continuous certification” approach is a particularly hot topic. To learn more, I recommend you check out the Cloud Audit and Cloud Trust Protocol (CTP) initiatives offered by the Cloud Security Alliance.
For questions about technical components, head over to NIST and check out their Security Content Automation Protocol (SCAP). SCAP is an XML “dialect” designed to automate security control information gathering.
This post was originally posted in French here.
photo: © S.John - Fotolia.com
January 7, 2016John Boyega Jacket Star WarsThis post is just incredible; I have found numerous informative materials on this site. I really want to thank you guys for your great effort. I have bookmarked your site and will definitely read further more informative and interesting articles in future.
I already recommended your site to few my friends and would continue to do it. Beside informative resource and great tips I also really liked your fantastic blogging skills and become a huge fan of your content writing. Thanks again for sharing it with us! Cheers
October 14, 2014British Assessment BureauThe limitation of ISO 27001 is that it is designed for all, so cannot define measures to take, only that you need to assess your risks and set out a plan to minimise these risks. As with most things in life, you only get out what you put in! ISO 27001 is devalued by those business who go into the process just wanting the badge. It's therefore correct to say you shouldn't see certification as a guarantee of security; a company should have a blend of credentials.
May 21, 2014ISO 27001 ConsultantHi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!
July 22, 2013Gloss Business CardsI had a feeling that all iso products which are certified as iso has a great deal of goodness in it but for now it seems to be not believing at all
July 16, 2013ISO Standards IrelandNice Post about ISO Standards . Thanks for sharing an informatics post.
July 4, 2016
February 8, 2016
January 25, 2016