The Certainty of Certificates
"We have adequately addressed information security because our data center has an ISO27001 certificate."
I'd love to sit down with the party making this statement and dissect its components:
1. The statement is intended as a response to a question seeking assurance, such as "Are you sufficiently in control of information security?"
2. The implication is that information security only occurs within the data center and in the way the data center performs its operations.
3. In addition, it suggests that a certificate provides sufficient assurance, rendering further questions unnecessary.
These three points are interesting starting points for a deeper discussion. The first point reflects the growing trend of increased scrutiny on our suppliers, especially if they handle our data or personal information. No municipality wants to be the next headline, revealing that their third-party provider leaked the personal data of their residents. The skepticism extends to government agencies, healthcare institutions, service providers, and IT vendors.
The second point suggests that information is secure as long as the data center is adequately protected. This implies that information never leaves the data center. Are there no access and data processing activities elsewhere? If that's the case, it means the provider's staff isn't allowed near the data. Or is the data center responsible for all access management?
Lastly, a certificate is presented as proof of having effective information security. An ISO27001 certificate offers a wealth of information but also omits many details. Start by thoroughly analyzing the stated scope and consider whether the core processes essential for your confidence fall wholly within this scope. Sometimes the scope appears to be well-defined but addresses only a fraction of the total business operations or pertains to a specific business location.
Moreover, an ISO27001 certificate essentially signifies that the organization has established a process to systematically manage information security. This certificate, by itself, doesn't say much (really, nothing) about the actual security measures. In theory, an organization could be certified because they perfectly understand the risks they face without having implemented any security measures.
So, what assurances can you seek?
It's unlikely that an auditor would readily grant an ISO27001 certificate to a party without any demonstrable security measures in place. However, the organization is free to define the framework against which the auditor assesses them, with justification. Within that framework, it's even possible that a measure hasn't been implemented. The story might make ISO27001 seem like an empty promise, but let's not get discouraged.
Instead, let's look at this as an opportunity for a valuable dialogue. An ISO27001 certificate marks the beginning of a well-protected collaboration. By obtaining this certificate, the organization acknowledges the importance of information security and commits to an ongoing growth process, irrespective of the current state of affairs. The only direction is up, striving for improved security. Request access to the Statement of Applicability that accompanies the certificate to gain insight into the current status and the full scope of security measures. Address the risks and concerns you have about this party and contribute to their Plan-Do-Check-Act (PDCA) cycle.
Lastly, but never least, let's also critically evaluate ourselves. Information flows through a chain of organizations, and each link plays a role in information security. The cliché holds truth: a chain is only as strong as its weakest link. But through collaboration and ongoing dialogue, the entire chain strengthens.