The Certainty of Certificates
"We have adequately addressed information security because our data center has an ISO27001 certificate."
I'd love to sit down with the party making this statement and dissect its components:
- The statement is intended as a response to a question seeking assurance, such as "Are you sufficiently in control of information security?"
- The implication is that information security only occurs within the data center and in the way the data center performs its operations
- In addition, it suggests that a certificate provides sufficient assurance, rendering further questions unnecessary

These three points serve as valuable starting places for a more in-depth conversation. The first point highlights the increasing scrutiny placed on our suppliers, particularly when they manage our data or personal information. No municipality wants to make headlines for a data breach caused by a third-party provider exposing residents' personal details. This skepticism extends to government agencies, healthcare organizations, service providers, and IT vendors alike.
The second point suggests that information is secure as long as the data center is adequately protected. This implies that information never leaves the data center. Are there truly no access or data processing activities occurring outside of the data center? If that's the case, it means the provider's staff isn't allowed near the data. Or is the data center responsible for all access management?
Lastly, a certificate is presented as proof of having effective information security. An ISO27001 certificate offers a wealth of information but also omits many details. Start by thoroughly analyzing the stated scope and consider whether the core processes essential for your confidence fall wholly within this scope. Sometimes the scope appears to be well-defined but addresses only a fraction of the total business operations or pertains to a specific business location.
Moreover, an ISO27001 certificate essentially signifies that the organization has established a process to systematically manage information security. This certificate, by itself, doesn't say much (really, nothing) about the actual security measures. In theory, an organization could be certified because they perfectly understand the risks they face without having implemented any security measures.
So, what assurances can you seek?
It's unlikely that an auditor would readily grant an ISO27001 certificate to a party without any demonstrable security measures in place. However, the organization is free to define the framework against which the auditor assesses them, with justification. Within that framework, it's even possible that a measure hasn't been implemented. The story might make ISO27001 seem like an empty promise, but let's not get discouraged.
Instead, let's look at this as an opportunity for a valuable dialogue. An ISO27001 certificate marks the beginning of a well-protected collaboration. By obtaining this certificate, the organization acknowledges the importance of information security and commits to an ongoing growth process, irrespective of the current state of affairs. The only direction is up, striving for improved security. Request access to the Statement of Applicability that accompanies the certificate to gain insight into the current status and the full scope of security measures. Address the risks and concerns you have about this party and contribute to their Plan-Do-Check-Act (PDCA) cycle.
Lastly, but never least, let's also critically evaluate ourselves. Information flows through a chain of organizations, and each link plays a role in information security. The cliché holds truth: a chain is only as strong as its weakest link. But through collaboration and ongoing dialogue, the entire chain strengthens.
Related Insights
