In my last blog I commented on the recent announcement of Google achieving ISO27001 certification for their Google apps service. This raised a bit of debate amongst friends as to the weaknesses of ISO27001 itself. Like SAS-70, ISO27001 too has certain weaknesses that should not be overlooked….
Weakness 1 – It’s a security management system of your own specification.
To use a metaphor, ISO27001 allows businesses to set its own high-jump bar, document how tall it is and what it is made of, how they intend to jump over it … and then they jump over it. The certification body simply declares that they have successfully performed a high-jump over a bar of their own design. The design and height of the bar does not have to be published or released to partners.
Weakness 2 – Scoping
Organisations can scope the standard to their entire business, a specific business unit, process or site. Take the example of a well-known online American bank that scoped ISO27001 purely to their marketing department.
One of the challenges of the standard is the logo and branding associated with certification does not identify the scope, for obvious practical reasons, possible misleading the customer in thinking the organisation rather a specific part of the organisation is entirely compliant.
A clear statement of scope, identifying precisely what business functions are included, is only available by viewing the actual awarded certificate, which is usually closely guarded by the company.
Weakness 3 – Industry Take-up and Understanding
The wide scale adoption and alignment of both the public and private sector to ISO27001 has been exceptional to say the least. ISO27001 is seen internationally as the information security management standard.
Actual certification of organisations against ISO27001 however has been slow. At the last count there were only 550 companies in the UK that have registered for certification. Compare that to a whopping 4061 in Japan. The reasons for this slow taken I believe to be due to two main reasons 1) misunderstanding of what the standard is, and 2) percieved high project cost. These two are strongly interlinked.
Misunderstanding – ISO27001 is still seen, wrongly, as technical security standard. I often hear organisations say that “we align ourselves with 27001 but the standard is too high to go for certification”. Organisations see it as both technically and procedurally challenging, adding additional overhead to their business. My experience has been that they are usually close if not operating to the 27001 specification, what their lacking is a few pieces of documentation to square the circle.
Cost – ISO27001 is still seen, again wrongly, as an expensive standard to adhere too, requiring gucci technology and highly documented processes. This is also exacerbated by over eager implementors who typically (although not always) over specify\interpret the requirements of the standard. Registering and maintaining ISO27001 can cost an organisation as little as £750 a year. Compare that to the WTE required in meeting with and responding to customer audits and it’s a small outlay.
Weakness 4 – Business to Business focussed
While ISO27001 can obviously give business-to-business relationships a competitive advantage, it is unlikely to influence business to consumer relationships. Consumers see through the logo, if they see it at all, as just a marketing gimmick.
A prime example of “transparent logo” syndrome can be found with the Investor in People certification. Over 25,000 organisations have Investor in People status and yet the awareness and understanding of what this means to the prospective employee is extremely limited.
Weakness 5 – Is it truly and independent assessment?
Recently the monopoly of the ‘Big Four’ audit firms (PwC, Deloitte, E&Y & KMPG) which dominate 97% of FTSE 350 came under scrutiny. This is mainly due to their ‘disconcertingly complacent’ in their role in the financial crisis.
This appears to be history repeating itself. The collapse of Enron, the largest bankruptcy in U.S. history at that time, and Arthur Andersen, Enron’s auditing firm, on trial on charges of obstruction of justice for shredding Enron documents, provides a sound example of the inherent weakness in trusted third party audit.
The audited are also the paying customers, this may risk undermining the ‘independency’ of the assessment.
So what does all this mean?
Certified organisations should expect their customers to undertake a less comprehensive or less frequent audit but not expect customers to go quiet on their information security requirements entirely.
ISO27001 cannot be solely relied upon by customers and that weakens the very purpose for which it was conceived. It is however the best we have as an internationally accepted standard for the time being.