First I must make it clear that as an information security consultant I have supported ISO27001 and its predessor BS17799 for 10 years. However as a consultant that advises on risk it’s critical to understand, and communicate, any risks the adoption of standards introduce to provide businesses with a balanced insight into their options.
ISO27001 has become the defacto standard by which governments and business assess the effectiveness of their supply chains management of information security risks. It is the standard by which CISO’s, ISO’s, IT directors and other operational managers lay their personal reputation and the reputation of their Boards and business on the line. But should they? Is the gold standard more a fools gold or is it really worth it’s salt?
How many organisations using ISO to benchmark their supply chain, and even those who have become certified to ISO27001 themselves, have assessed the risk of using the standard to provide assurances about the seriousness with which they take data security. I suspect that in most cases the standard its self isn’t an item in any risk assessment, even one required to become ISO certified under section 4.2.1 d – h.
Any organisation, relying on this standard to satisfy its need for assurances that its partners and supply chain take reasonable and appropriate measures, to protect their data whilst in their custodianship, ought seriously to reconsider.
Why? I have an information security mantra which any seasoned information security professional should understand. If they don’t I suggest they quickly assess why?
“if it is made by man it can be broken by man”. Bruce Hallas
ISO certification is just a process. And, as anyone who has been involved in an ISO27001 project or a standalone risk assessment will tell you, all processes have vulnerabilities and are susceptible to all the frailties that the human race possess and which manifest themselves as threats. Malicious, unintentional, economic & personal threats, they can all be found here threatening the integrity of the standard, individual certifications, its effectiveness as an information assurance tool and means of managing risk to cash flow and profitability. Seriously if you have been told that adopting a policy of requiring your supply chain to be ISO27001 certified manages your exposure to risk, without understanding the residual risks and the new ones it introduces, you have fallen into the “tick box” management of risks to your business. More significantly the a perception gap has developed between what the Board think their exposure is against what it actually is.
This blog does not intend to outline these vulnerabilities and threats. There will be enough organisations, like Vodafone Australia, who will only realise the vulnerabilities in the standard once they suffer a breach of security and hold their certification up as their defence.
This blogs purpose is to raise awareness, amongst those who are accountable or responsible for managing their exposure to information security risks, whether across their business or within their supply chain, that requesting all their suppliers to be certified to ISO27001 is not without risk itself. Neither is it the golden wand with which to manage PR in the aftermath of an information security incident.
Want to know why your reliance on ISO27001 could be a risk? Want to understand how to manage these risks? Want to close the perception gap between what assurance you thought you had and what you have actually got? CONTACT ME to discuss your options.