HelpSource Q&A 

Download Article Article in Digital Form

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

Q There are a number of certifications that a company can opt for—both in security and IT domains. Whilst ISO 27001:2005 is the de facto information security standard, there are other standards such as ITIL v3 in which certifications are possible today. What are the true benefits of certifications? Some view them as simple badges rendering few benefits. In what way does the money spent or invested on certification efforts render return? Can we use some metrics to measure security effectiveness scenarios pre-certification and post-certification? Please share your candid thoughts.

A Whilst it cannot be denied that some cynically view certifications as badge collection efforts, this view does not apply to all cases. If a company were to implement the controls required to achieve third-party certifications in a diligent and effective manner, there is no doubt that benefits will rain in.

It is essential that we discuss the process of any development of industry standards or frameworks prior to the certifications being made available and that we try to understand the same. Unlike a standard, which requires an enterprise to follow the complete guidance as it is documented, a framework is flexible and can— and should—be customised to fit an enterprise’s size, culture, risk profile, business needs, etc. ITIL and COBIT are examples of frameworks.

Standards/frameworks are developed by a set of experienced professionals in the industry. Any standard/framework is a culmination of efforts put in by various industry experts. There is a thorough review process before publication. BS 7799, a standard on information security, faced acceptance challenges when the British standard was proposed to be an international standard. Some European countries strongly objected to its being accepted as an international standard.

The standard development process also has its own rigour. For example, the British Standards Institution first publishes a standard as a publicly available specification (PAS) document, and comments are invited from academics and industry professionals on the contents. Whilst a number of companies may start deploying or using a PAS within their organisation at this stage, no external third-party certification will be available for a PAS document. For those who remember, BS 25999 (a British standard on business continuity management) was first published as PAS 56 and was made available for public comments and review. Later, taking into account the various inputs provided by the public and professionals, and after due changes were incorporated, the PAS was adopted into a proper certification standard.

We must appreciate that no standards/frameworks appear overnight. True, they undergo a thorough churn due to various changes that happen over time. Some of the old/retired standards/frameworks may appear primitive today, but one must remember that they were fit for a purpose at a point in history.

Not all standards become international standards and are adopted by the International Organization for Standardization (ISO). Some standards continue to remain country-specific; however, certifications may be available for them. Again, BS 25999 is a good example in this case. The use of such a country-specific standard is not restricted to the home country. BS 25999 is used around the world today, even though it is not an international standard.

That said, some standards/frameworks do not meet industry requirements; they may be user-unfriendly and may naturally die out due to a lack of industry usage. For example, the 1998 version of BS 7799 never gained adequate acceptance in the industry.

Standards and frameworks have to be reviewed periodically and adapted to changing business, technology and regulatory environments. COBIT is an example of a framework that has remained fresh and continues to evolve; hence, it has been widely accepted and used.

Given this background information, standards and frameworks are good per se. The problem comes with implementation. If someone adopts a shortcut and puts in place controls for the sake of adoption, the purpose of standard/framework implementation will be defeated. Such strategies may make certification efforts a badge-collection exercise.

So, what kinds of benefits can certification/standard/ framework adoption offer?

  • Certifications/standards/frameworks provide a set of readily identified baseline controls whose usability has been proven by widespread usage within the corporate world.
  • Benchmarking against any industry competitor or fellow player may be possible.
  • For those players in the outsourcing industry, implementation of standards is a boon. Enterprises can showcase their security controls to potential and existing clients who may have concerns about how their information entrusted with the service provider for processing is handled. For companies that outsource their information processing to third-party vendors, it is again a boon.
  • From an outsourcing point of view, certifications/standards/frameworks can be a pre-condition to contracts.
  • Certifications/standards/frameworks help implement consistent measures to mitigate risks. Large organisations benefit by consistent implementation of controls.

Standard metrics that are normally used for measuring security effectiveness can be used to measure the effectiveness of standards implementation.

One must also remember that spending money on security is a prudent business practice and not a necessary evil. Whilst not all benefits may be tangible and measurable, there are innumerable and immeasurable benefits that can be derived when proper security controls are implemented. For example, one may be able to see a clear declining trend on security incidents post-certification efforts compared to prior scenarios. If someone sees an uptrend, it means that there were no reporting mechanisms in the past, which led to nil incident regimes.

Certifications are a must and do render a great deal of tangible business benefits. At the same time, they are not an all-in-one solution to address security problems.

Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.