Understanding ISO 27001 certification

A guest blog by Steve Watkins, Director at IT Governance Ltd

Even though ISO 27001 is the international standard for implementing an ISMS (information security management system) and is used by thousands of organisations around the globe, it occasionally faces criticism on a number of issues.

Those with first-hand experience of ISO 27001 know that, when implemented correctly, it provides a comprehensive guide to managing the information security risks that organisations face.

Further, the accredited certification scheme that enables organisations to demonstrate that they conform with the requirements in ISO 27001 offers real benefits to those who understand how to interpret claims of certification appropriately.

So, what are the Standard’s critics potentially misunderstanding? This blog takes a look at some of the misconceptions, and explains why ISO 27001 is an appropriate framework for managing your information security.

What are the criticisms of ISO 27001 certification?

  • You don’t know the scope of the ISMS and certification

Defining the boundaries of an information security management system (ISMS) is one of the initial tasks an organisation embarking on an ISO 27001 project needs to get to grips with – this is known as the scope of the ISMS.

There is a good chance that the process of determining the scope will be iterative, with the statement evolving as the project proceeds.

One of the key considerations for the ISMS, the information security risk assessment and confidence that others can take from claims of conformity with ISO 27001 can derive is whether the business activities in scope are relevant to the services and concerns they have, and that the risks associated with the dependencies and interfaces at the boundary of the ISMS have been considered.

The accredited certification scheme that sets the requirements for audit bodies to be able to issue accredited certificates stipulates that the scope statement on a certificate of conformity to ISO 27001 is to be unambiguous.

Therefore anyone who has access to the certificate (whether under an NDA or made publicly available) can determine the business activities covered by the ISMS and certification audit body.

  • You are unsighted on the security controls that have been implemented

ISO 27001 requires that organisations implementing an ISMS produce a Statement of Applicability.

The Statement of Applicability (SoA) lists the security controls that have been determined as required for an effective ISMS, and their implementation status. There is a minimum set of controls that the organisation needs to have considered and that the audit body completes a ‘check and challenge’ against – these are listed in Annex A of ISO 27001, which identifies 114 information security controls, divided into 14 categories.

The SoA identifies all of the controls that have been selected, not just those from Annex A of ISO 27001 – the organisation implementing the SoA can selected them from any source or even go as far as defining their own, it also has to justify the exclusion of any of the Annex A controls.

Organisations that use Cloud technologies should consider the controls listed in ISO 27017 and ISO 27018. Likewise, the CSA’s Cloud Controls Matrix will provide a useful reference point.

  • What can you determine from an accredited ISO 27001 certificate?

ISO 27001 certification is a process in which an independent audit body gives a written assurance that the organisation has implemented an information security management system that conforms with the requirements of the Standard.

Experts will invariably urge you to use an accredited certification body, but for those unfamiliar with the certification process, the benefits of accredited certification aren’t necessarily clear – and because accredited bodies tend to be more expensive, you might be tempted to go for a cheaper option.

However, accredited certification is not simply a premium version of ISO 27001 certification – it’s really the only valid version.

If a certification body isn’t accredited, there’s no way of knowing whether it’s applying the relevant framework or standard appropriately. 

Likewise, there’s no-one checking that the certification body’s audit practices are sound, that they are independent and that they use competent auditors. Theoretically it could be handing out certifications to anyone who applies.

As a result, it’s impossible to know what weight to put on certifications awarded by non-accredited bodies.

When interested parties (clients, investors, the Board and others) want the assurance of ISO 27001 certification, they are almost always referring to accredited certification. If they see that a certificate has been awarded by a non-accredited body, they are likely to dismiss it.

By contrast, accredited certification provides confidence that your information security practices meet ISO 27001’s requirements, and interested parties will take that as a sign that you can be trusted for the scope of certification described on the certificate and, if they want to know more, they can get an insight into the controls applied within that scope by requesting access to a copy of the SoA.

The issued certificate of conformity is required to mention the specific version of the SoA that the was in place when the audit body last conducted its audit, and therefore the controls applied.

Whilst accredited certificate of conformity to ISO 27001 doesn’t replace the detailed insights conducting an audit of an organisation yourself would provide, it is a starting point for demonstrating that the organisation takes its information security management seriously and can provide some indication of the control stance it has applied.

Want to know more about ISO 27001?

You can learn more about ISO 27001 by downloading the IT Governance green paper Information Security and ISO 27001 – An introduction.

This free guide provides a comprehensive introduction to the Standard, describing how it works and the benefits of implementing its requirements.

It also explains how ISO 27001 fits in to your wider information security practices – including your legal and regulatory obligations – and outlines key things to consider when implementing your ISMS.

----

Steve Watkins is a Director at IT Governance Ltd. He is chair of IST/33, the UK committee responsible for contributions to ISO 27001, ISO 27002 and related information Security, CyberSecurity and Privacy Protection standards.

Comments

Mark Henry said…
Thanks for such a pleasant post. This post loaded with lots of useful information. Keep it up.iso 9001 floridat
13 July 2021 at 21:56

Post a Comment

Popular posts from this blog

CSA UK Applying MITRE ATT&CK Cloud and Microsoft K8 Matrix

Image
The Cloud Security Alliance UK chapter is presenting a series of sessions to provide CISO's, Cloud Security Architects, DevSecOps and SOC teams a breadcrumb roadmap of how to apply the recently published (late 2019)  MITRE ATT&CK for the Cloud  and also take influence from Microsoft’s recent Threat matrix on Kubernetes (K8).   We are seeking feedback or additional items you would like us to cover.  The proposed series of sessions will cover:   Session 1: [ Author/Presenter: Stephen Owen] 90 mins planned online 24th June CSA session on "What is MITRE ATT&CK and Cloud" and what benefits it brings to each of the stakeholders  What is  MITRE ATT&CK Enterprise  and  Cloud Where to start How to take advantages of the current  MITRE ATT&CK Cloud  and combining with Microsoft’s K8 Matrix;  Suggested practices to follow targeted to each of the below roles: Cloud Security Architects DevSecOps SOC Team  Cloud/CISO Lea...
Read more

What is hybrid cloud computing?

Image
    (Hybrid) cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability. National Institutes for Standards in Technology (NIST) While a Hybrid Cloud can take many forms; in essence it means managing two (or more) disparate cloud environments (say private & public) as one, or having management tools in place that let the two (or more) environments be managed and appear as one single environment. Hybrid cloud uses a mix of on-premises, private cloud together with third-party, public cloud services; with orchestration between multiple platforms thus allowing workloads to move between the various cloud environments as computing needs; thus giving businesses greater flexibility and more deployment options. A cloud is hybrid when; You extend an internal web server (that has “burst...
Read more