For those not aware ISO 27001:2013 (to use its Sunday title) has the following opening paragraph on Wikipedia:
ISO/IEC 27001:2013 is an information security standard that was published in September 2013 It supersedes ISO/IEC 27001:2005 and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for an information security management system (ISMS). Organizations that meet the standard may be certified compliant by an independent and accredited certification body on successful completion of a formal compliance audit.
So, what does we read from this? Probably that we can be certified by an accredited body and get a certificate saying we are secure. In the capitalist world that we live in this certificate has a value, we can announce to the world that we have the certificate and (allegedly) prove that we are ‘secure’. Hmmm.
Firstly, let’s be open about what 27001 certifies against; an Information Security Management System (ISMS). It does not certify that an organisation is secure (an impossibility anyway) or has deployed the current vogue of security tools to be considered as secure. The ISMS is there to prove that the organisation considers its risks and has implementation processes to mitigate these risks on an ongoing basis. In its essence this is an excellent thing to do but where does it go wrong? It goes wrong in many organisations where the right side of this equation wins
‘we want to be more secure’ versus ‘we want to be seen to be secure’
There is commercial pressure for outsourcing and hosting vendors to need to be 27001 certified to be in the game. This is good as it introduces the security management concepts into more organisations. But does it make them more secure? Commencing a 27001 accreditation process see an organisation go through a considerable document creation phase; risk assessment, security policies, security guidelines etc all get created in their droves. This becomes the majority view of what 27001 is; a set of documents and processes that we are supposed to live by. The accreditation interviews are conducted with senior managers (who have typically been heavily primed the day before on what to say) and system administrators in the organisation, all the documents are provided and then assuming a suitable level of documents are provided and questions ticked, the initial accreditation is awarded.
All good? Well, maybe, the model of working that 27001 introduces does not in many cases percolate through to the operational practices of these organisations. Senior Managers who are responsible for making decision in their organisation are not, in our experience, changing their model of working in-line with what they are accredited against. Decisions are far too often made in-line with pet projects, vendor influence and personal career advancement.
This is unfortunate as 27001 offers a model of operating at Senior Manager level that is methodical and can minimise ego and personality from decision-making. Surely the role of Senior Managers is just that; – effective decision making.
We are strong supporters of 27001. We are not 27001 auditors so are not saying this just to advertise our services. We like and encourage decision-making that is based on methodical assessment, we believe the output from our engagements whether they are for Enterprise Architecture, Network Design or Orchestration reflect this. We recommend taking a look at 27001 as a model of operating not just as a marketing tick-in-a-box.