The 27001 Standard is quite simply a management system. The objective is to set the framework to do security well by embedding a culture of information security within an organisation.
This, when done well, does work. That is, a clear Governance structure, defined roles and responsibilities, an understanding of the organisation’s assets and vulnerabilities together with an understanding of the threats (internal and external) that the company faces. All of this refined with a good risk framework for information security enables the organisation to evaluate and manage the most likely information security risks by selecting a set of applicable controls. The standard even provides a summary within the annex of appropriate controls the organisation can select from.
The combination of this creates an Information Security Management System (ISMS). It is structured around the typical ‘Plan, Do, Check and Act’ process of any management system which focuses on ‘continual improvement’; recognising that organisations need to start somewhere and that not all relevant controls must be in place before you can become certified.
Being certified to the ISO 27001 Standard simply validates an organisation has this governance structure in place. Accredited auditors may challenge why certain controls are in place or not but provided the organisation can clearly justify their current status there is little more they can do. It is then down to the future audits to challenge whether they are making improvements and acting on issues arising.
This means that a company that has poor or immature security controls can still become certified. The certification process is not a test or validation of control design and effectiveness.
This unfortunately provides a bittersweet moment for the Security Managers and consultants that know of existing flaws, the certificate is seen as a ‘ticked box’ and is proof that “the company is secure!” How can they then bid for more budget? How can they emphasise there is still a very long way to go!?
Over the years I have seen many ISMS fail over time, people leave (along with the knowledge), the project team disbands as they have been taken away from their ‘day job’, the organisation’s focus goes elsewhere and the ISMS owner/security manager is left trying to get budget to actually make the organisation secure! No wonder so many distrust or have no confidence in the certification, it has actually made their lives a lot harder!
This is where the ISMS has failed.
There is no uplift in governance, no accountability and no emphasis on building a culture of security.
After well over 20 years using the standard, I’m still an advocate. Certification provides a clear way forward for a company that is starting out on improving its security posture, but it is only the beginning of a very long journey.
If you feel your ISMS is dead in the water, has not provided the structure your organisation requires to build a culture of security, contact us today to revive it. Let’s work out what didn’t work and why, let’s refine what you have and create value from your ISMS you’ve already invested in.
If you are new to the journey, we can mentor your team, give pointers of what to avoid, what the key project risks are likely to be and be a soundboard. Alternatively, we can provide the resources to implement and get you up to speed quickly.
About the Author
Yvonne Sears MSc, LLM, CIPM, CISM, PICIP, MBCI, FIP, FAISA has over 20 years’ experience in information security and Privacy in the UK and Australia. She has a Master’s in Information Security and Computer Crime, a Master’s in Information Law and is a Certified Information Privacy Manager.
She has worked on several trail blazer projects leading the way on data sharing and privacy issues in sensitive and complex areas and has worked for a wide variety of public and private sector organisations.
She has contributed at industry events as a speaker and has contributed to several publications including ISACA’s Privacy book: “Implementing a Privacy Protection Program” (2017) and “Women in the Security Profession” (2016).