Biljana Cerin hosts “Formal ISO 27001 Certification—Gains vs. Losses” at next month’s EuroCACS/ISRM conference in London. We chatted with the Ostendo Consulting board member to preview her presentation.
ISACA: What is one main driver for obtaining ISO 27001 certification?
Biljana: In an ideal world, it would be to ensure that we manage information security in accordance with a recognized and respected international information security management standard. The world, however, is not ideal. In most cases companies go for formal certification with the goal of assuring their clients, employees, regulators and partners of the high quality of their information security management system. Sometimes, however, companies go for formal certifications for some other reasons, such as to be able to participate in public-tendering procedures where formal ISO 27001 certification may be one of the requirements for tenderers. This is a significant achievement as well. However, maybe the system will not be sufficiently supported and accepted within the company, rather serving to “show the certificate” in the tendering documentation.
ISACA: How has the opinion about receiving formal certifications changed in recent years?
Biljana: I am doing this session at EuroCACS/ISRM because of a question I asked my audience at last year's conference in Munich. I asked how many attendees had the formal ISO 27001 certification, and in the pretty large audience I saw only six hands in the air. Then I asked how many are thinking of achieving the formal ISO 27001 certification, and I saw more than 50 raised hands. This is not a valid representation for any statistical observation, but it surprised me. I thought ISO 27001 certification was already an “old story.” This is not true. This standard is designed well and is applicable to organizations of all sizes and types, and many of the different regulations’ requirements are similar to the control requirements of ISO 27001.
With the updated version of the standard coming up soon, I believe the opinion about receiving formal certification will only get better. Also, at first it was seen as primarily an “IT security issue”, but this opinion has finally changed. An information security management system is a precious system that requires careful consideration of many different aspects, starting from understanding human behavior, technology and processes, to fulfilling legal, compliance and business requirements related to information security. If you only look at the variety of the control domains, that tells a lot. And yet, we want to make the application of ISO 27001 controls as efficient and practical as possible. So this cannot all be done by “IT” or “IT security,” but through cooperation of all parts of an organization. It is much better understood now, and I believe this standard is going to have a bright future.
ISACA: What is one loss associated with obtaining formal ISO 27001 certification?
Biljana: Some organizations see the formal certification as a mechanism that forces them to get ready for an audit in the weeks just before the certification company visits. Information security management system should be always there, not just when the auditors come.
ISACA: What is one benefit?
Biljana: Although organizations can implement ISO 27001 and internally enforce all the requirements without undergoing the formal third-party certification assessment, formal certification gives an independent assurance that the organization’s information security management system is implemented and operating in accordance with the respected international standard’s requirements.
This distinguishes such organizations from others, and also makes it easier for them to assure their clients, partners, regulators and other interested parties that the organization applies good information security management practices. This leads to easier achievement of business objectives and fulfillment of various stakeholders’ requirements that might be imposed upon such organizations.
Implementation of ISO 27001 as a standard an organization formally follows forces those organizations to “put in order” its internal processes, roles and responsibilities to follow efficient procedures and constantly assess and manage information security risks. This is a real benefit that saves money and actually enables organizations to perform faster.
A formally certified information security management system should not be seen as a show stopper or a bunch of burdensome procedures. It actually enables organizations to respond faster to various information security-related incidents, to fulfill compliance requirements, perform risk assessments efficiently, and—most importantly—to manage information security risks in a timely manner.
Join Biljana and dozens of other expert presenters at ISACA's EuroCACS/ISRM conference next month.
Continue the conversation in the ISO/IEC 27000 Series community within ISACA’s Knowledge Center.