Many organizations are searching for a method to demonstrate the strength of their security practices to prospective customers and partners. Many are looking to standards like ISO 27001 and ISO 27002 as the basis for making their security practice statements.
The problem is that even with these international standards, there’s some debate as to what it means to comply and what compliance (and certification of compliance) actually says about the organization being certified.
Before attending a week-long course to certify me as an ISO 27001 Lead Auditor, I thought I understood the meaning and benefits of certification and expected to be a part of a sales drive for ISO 27001 certifications for our clients.
Now, having been through the training, and successfully passing the exam, I am not sure of the answer. I am still convinced that compliance with ISO 27002 is a great thing, and even more convinced that ISO 27001 is CRITICAL to using 27002 correctly. However, what I am not as convinced about is the value of the ISO 27001 certification. Having been a part of a number of what we call ISO 27002 Assessments as well as PCI-DSS On-Site Assessments, I know the value of ISO 27002 and how it can help companies. Further, having spent a week with ISO 27001, I believe that understanding it is critical to successfully implementing a long-term security strategy and implementation plan for any company (regardless of size). Its strength is that it focuses on and requires organizations to be competent in 4 security management areas that are often weak in most companies:
- Asset Identification and Valuation
- Risk Assessment and Acceptance Criteria
- Management Acceptance of these items
- Continual improvement of the security program
Being a consultant by trade and by desire, I’m not interested in playing the part of auditor with all the restrictions to the kinds of advice I can provide and lack of judgment I’m supposed exercise. I value helping my clients and providing valued input and recommendations. The audit process does not and cannot do this. It is there to gather facts and compare it to the standard. It is not there to make security better. So from my standpoint, of one who is qualified to do either an Audit or an Assessment, the Assessment is heads and shoulders more useful to an organization trying to achieve effective security.
That said, there is still a place for getting the ISO 27001 Certification: your customer demands it. If I had a customer who required the certification, and the profit I would gain from them (or future revenues) would outweigh the cost of the Audit, then I'd do it. Otherwise, I'd achieve compliance to the degree I thought practical and derive all the value I could from the assessment and associated consulting.
So my final thoughts on ISO 27001 Certification is: "Do it if you have to.” My thoughts on undergoing an ISO 27001 Assessment is: "Do it as a matter of good business." While the two are not mutually exclusive, they are very different. If you need the certification for some reason, and you can justify the cost, then go for it, but I’d start with an Assessment. Just remember that if you have not done your work at the forefront, you are likely going to fail the Audit and eat a large portion of the costs. You will get no help from the Auditors as to what you need to do to improve, remember they are bound by rules not to provide even vaguely specific advice.
30 comments:
Management can be assured of the quality of a system, business unit, or other entity, if a recognized framework or approach is followed. Compliance with, or certification against, and international standard is often used by management to demonstrate due diligence. Organizations often use a standard as a measure of their status within their peer community. It can be used as a bench mark for current position and progress. Implementation of a standard such as ISO 27001 Training can often result in greater security awareness within an organization. ISO standards contribute more to a company's economic sustainability than ever before. An increasing number of manufacturers and business customers will not even do business with a supplier that is not ISO certified.
SystemExperts couldn't agree more that the use of a recognized framework like ISO 27001 or 27002 has become an important tool for many organizations. The results of using these frameworks are tangible steps to help improve security and operations: both of which help productivity and efficiency and help protect the company's assets.
ISO 27001:2005 provided Exhibit assurance of the internal controls of your organization
ISO 27001:2005 is a certification which benefits an organization through Information Security Management System (ISMS). ISO/IEC 27001:2005 specifies the requirements for the implementation of adequate and balanced security controls tailored as per the needs of the organization.
What’s missing? You completely missed the focus on Quality Management and understanding of the PDCA cycle as well as the continuous improvement feedback loop in addition how about establish comparable and reproducible results or stabilization and standardization and please don’t forget verify and validate. A lot of thought and knowledge has gone into the ISMS and still today in 2012 it’s not really completely known.
Thanks for the post,
it was awesome post about iso 27001 certification,
as an online iso consultant i believe that to secure data in the business iso 27001 certification is require.
Certification is definitely worth it, since your company will have international recognition as a quality service and product provider. The company will be held in high regard for integrity in keeping individual records and extensive data verification.
- Barton Wilson
ISO 27001 training is important as it helps an organization build a secure information systems that helps encrypt all the data they have in a secure database for confidentiality purposes.
As an Accredited Certification Body we have seen a marked increase in firms looking for ISO27001 due to customers demanding it as a mandatory standard in order to do business. It is worthwhile for companies to get the standard before it is imposed on them.
Charlie Melia
ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. This is a widely-recognized international security standard in which our customers showed significant interest. Certification in the standard requires us to:
Hi there, awesome site. I thought the topics you posted on were very interesting.
ISO Consulting
Thanks for the sharing information about ISO 27001:2013 certification, it was awesome post. As an online ISO 27001 consultant, I believe that implementation of Information security management system.
ISO 27001:2013 Certification Consultant
Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.
ISO 27001:2013 Internal Auditor Training
Hi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!
ISO 27001 Checklist in English
Thanks for your information. QTP provide most precise and independent review about a software application. This automation testing tool is ideal to determine the performance and validity of a software application.
Really it's a informative blog.An organization seeking to become ISO 9000 certified contacts an accreditation company that sends auditors, who observe the applicant's compliance with the ISO requirements. iso 27001 certification process
Before putting my trust into a company, I first check if they have ISO certification. This is because being ISO certified means they are trusted. Their products and services are in a high standard. One of my most trusted company is PAPTI. Visit them here: http://www.papti.com.ph
Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing. CCNA training in chennai | CCNA training chennai | CCNA course in chennai | CCNA course chennai
It is great information and valuable post. It helpful for training and certification services.iso 27001 certificate
Thanks for this post is very informative and interesting.all the points are very useful. Simple but very effective writing. Thanks for sharing such a nice post.
Android Training in Chennai
Thanks for sharing such an valuable information.
ISO certification bodies in Bangalore
Useful post, share more like this.
UiPath Training in Chennai
UiPath Training Institutes in Chennai
ccna course in Chennai
AWS Training in Chennai
RPA courses in Chennai
DevOps Certification Chennai
Angular 6 Training in Chennai
This is a really instructive post, you're an incredibly skilled blogger. I've joined your blog searching for a more noteworthy measure of your brilliant post. Moreover, I have shared your site on my informal communities!
this was AWESOME!! it also looked so good on the table becoz it has so much colour.
[url=http://factocert.com/iso-certification-in-saudi-arabia]
Hi there, just became aware of your blog through Google, and found that it’s really informative
iso certification in saudi arabia
I am sure this post has touched all the internet users, its really really nice article on building up new
iso certification in saudi arabia
We are top leading ISO Certification Consultants in world to provide various ISO standards like 9001, 14001, 18001, 22000, 27001 with affordable cost with the services of training, Audit, Documentation, Certify, Gap Analysis, Implementation, Registration, Consulting services.
iso 27000 certification in saudi arabia iso 14001 certification in saudi arabia
iso 27001
good blog
Post a Comment