What should an organization do to protect its information?
Many organizations turn to ISO 27001 certification. The ISO 27001 standard offers a well-known framework to implement industry best practices in areas such as security incident management and physical security. But is ISO 27001 certification worth the trouble? Does it make a difference?
After all, certification takes up resources and can be very complex. ISO 27001 can force you to take 114 specific measures across your entire organization, from HR to legal to networking and governance and management. It is already challenging to manage an organization – how can you be expected to implement all of this, too?
To understand if certification makes sense for your organization, let’s investigate three types of security goals you might have and if ISO 27001 will help you reach then. Then, I’ll discuss some common misunderstandings about it.
Evaluate Your Security Goals
Goal 1: Reduce the actual number of security incidents and/or their severity
Maybe your organization has specific security issues at hand, such as data breach prevention, denial-of-service attacks or malware. In these cases, the question you need to answer is whether these incidents are fixable by plain procedures and technical security measures.
If the answer is “yes,” don’t go for certification. ISO 27001 entails much more than what you need. Instead, improve your defensive security posture, boast your technical incident response and do more penetration testing.
Goal 2: Prevent out-of-control IT processes
Do you have evidence that your IT is not under control? Can you show a list of IT assets, installed software? Do all your systems follow the corporate policies for patching and passwords?
If the answer is “no” to any of these questions, it might be worth implementing ISO 27001. The process forces you to implement basic generic IT controls, such as incident management, access control, change management and archival and backup. In addition, you can benefit from a list of specific measures to boost your information security posture.
However, note that your problems have more to do with general IT service management and less with security. You might consider certifying against ISO 20000 (IT service management) instead of ISO 27001.
Goal 3: Demonstrate compliance
Does your organization have a continuous need to show that it takes security serious? Do you need to provide evidence in the form of certifications or audit reports that your organization is protected?
If the answer is “yes,” ISO 27001 might be just what you need. You can share the certificate with all your stakeholders without restrictions.
Understand 4 Important Truths
After evaluating your goals, you should have an idea of when ISO 27001 might help you. To help you make a decision about whether or not to get certified, we’ll dive deeper into what ISO 27001 entails – and what it does not.
Truth 1: ISO 27001 is a toolkit that must be used by experienced professionals
ISO 27001 forces you to manage information security, implement governance and processes and technical measures. As such, it is a tool that must be used properly by your organization.
You might want to ask yourself if your employees can implement the tool properly – whether the persons in the security team (and those outside of it) have the right background, training, experience and whether they have sufficient leverage in the organization to force change.
If they don’t have the necessary capabilities, you can use ISO 27001 as a starting point. Reach out to HR and discuss training and qualification or hire external consultants. Once your certification is in place, your external ISO 27001 auditor will keep you informed of major gaps in your security program.
Truth 2: ISO 27001 is mostly black box for outsiders
An ISO 27001 certificate only shows you the company name, the description of the services and the period of validity of the certificate. It does not tell you anything about:
- The issues that the internal or external auditors have found
- The number of security incidents and whether they were preventable
- The exact assets that are in scope for the certification and the measures (controls) that the organization implements for these assets
You can always inquire about the last item, but it will be difficult to find hard evidence of the first two items; the audit reports are normally confidential.
If you need a report with an opinion of the auditor, consider a different approach that gives you more information. For example, you can ask a qualified auditor for a “SOC 2” report.
Truth 3: ISO 27001 does not substitute for repeating processes
If your organization is constantly in flux, project-oriented and ever-changing, the first thing you need to do is get your organization under control. Define your processes, systems and ensure that you have people capable and interested in executing repeating processes.
This is often overlooked as many people hold the opinion that:
- Day-to-day operations and processes are uninteresting
- The real challenges lie in project work
- Any periodic task is curtailing the business’ freedom to act
In such an environment, it will be very challenging to implement ISO 27001 as it builds on repeating and repeatable processes and controls. Persuading stakeholders that ISO 27001 will make you “more flexible” and “take more business risks” only goes so far. ISO 27001 does not achieve this by itself; you need to change the mindset in a large part of your organization.
Truth 4: ISO 27001 requires top management involvement
Which brings us to the last issue: Top management must be involved in ISO 27001 certification. The management needs to inform itself of security, provide resources and be willing to act in case problems arise. If management commitment is not in place, ISO 27001 simply cannot be implemented. ISO 27001 is not a quick fix for operational issues.
ISO 27001 is a good tool to help your organization deal with information security issues. As with any tool, you must carefully assess if it fits your needs.
Ask, what is the problem that you are trying to solve, what are the capabilities and characteristics of your organization and the environment in which it functions? Before you start certifying – understand your organization and its needs first!
André van Cleeff works as a DXC Technology security consultant and security manager for various external and internal clients. He is based in the Netherlands.