The basics of ISO 27001 Security...
> The basics of ISO 27001 Security is an inherent consideration in the way you work,
> not something you look at every few months when an audit is due.
So utterly different from the way ISO9000 works then?
ISO/IEC 27001:2013 is more commonly known simply as "ISO 27001". It is, as the ISO website puts it, "the best-known standard in the family providing requirements for an information security management system". On the other hand, many businesses think it is a highly complex, unattainable standard – and a pain in the backside – …
ISO standards are almost by the very definition worthless. Just keep in mind that you can be in the business of manufacturing lifevests made of solid concrete and still be able to cerfify your production as compliant to ISO 9000 if you make an effort to.
But, quite like democracy, this shitty system is obviously that we came up so far and hence favorable to no system at all.
@AC
Bingo that's so common it's sad. In procurement I regularly have to ask a lot of questions to ensure that the supplier is competent. Quite often they'll wheel out "but we're ISO27000" as some sort of catch all them is supposed to mean absolutely everything is ok. And as described when you get to it the scope of compliance is narrow and whatever they are selling is a pile of shit without basic security in place.
But I do enjoy the look on the salespeople's faces when they try, "but we're ISO27000" and the answer is "so what?"
As someone on the receiving end of customer audits, I wish there was some useful standard that encompassed everything all of our customers require, and third party auditors that all our customers trusted.
That way maybe we could spend a few less months a year of all-work-halted answering mostly the same auditor questions.
ISO standards are almost by the very definition worthless. Just keep in mind that you can be in the business of manufacturing lifevests made of solid concrete and still be able to cerfify your production as compliant to ISO 9000 if you make an effort to.
This article isn't about ISO 9000 (or 9001 for that matter) but since you brought it up, its clear that you're completely missing the point of ISO 9001. ISO 9001 certifies that your internal processes are sound. It has no bearing whatsoever on the usefulness of your product.
If you're seeing "ISO 9001 certified", and expecting it to mean that a company makes good products then it's no wonder you think ISO is useless. On the other hand, if you're seeing "ISO 9001 certified", and the certified company is trying to make you believe that the certification is proof that they make good products, then the company is mis-representing their certification. It would be like someone with a maths degree trying to use it as proof that they're really good at English literature.
Your hypothetical manufacturer of concrete life vests may very well get ISO 9000 certified, and it would be perfectly valid if their internal processes were sound. (to bring us back on topic, they may even get ISO 27001 if they had also good IT security practices). But in the world of life vest manufacturers, there are other certifications and standards that are important and far more relevant to their day-to-day trade.
In short, ISO 9000 or 27001 certifications are a good indicator of a well-run company, but they are not a substitute for other more industry-specific certifications and standards. If you're missing those, then an ISO certification isn't going to make up for it.
I am fully aware of the scope and requirement for the ISO9k family and have spent a good bit of time watching companies implement those a few decades ago (as a bystander, but still).
The problem is how ISO is represented. You are very likely a techie, or at least someone who looks behind shiny things to figure out how they work. Don't make the mistake of assuming that for everyone. There are far too many people who don't go that mile. Many of those wash up in management. ISO9k was rep'ed as "Quality Management Norm". That is the very problem. You can read it as "a norm to manage quality". As in "ensure quality".
That is FUD deliberately thrown into the eyes of decision-makers.
I think your caricature of ISO 9000 is a decade or two out of date - at the very least, it should be clear to any potential purchaser that the lifejackets were made of concrete. But anyone wishing to rely on ISO 27001 certification as a guarantee that a potential business partner has strong IT security needs to check two things: the Scope, and the Statement of Applicability. One of my clients has a scope covering two people, two servers, a router and an Internet connection - which it required for a specific purpose.
It's true that an organisation may choose to restrict its scope statement in order to simplify certification. But there are hidden gotchas lurking. For instance, if the HR department isn't in scope, then you can't rely on them following your security policy. So your security requirements for hiring and firing would need to be the subject of a formal agreement with HR, much as would be needed if you were using an external organisation for the purpose.
It tells me nothing about the actual state of security, only that a bunch of paperwork has been written and a process was followed to generate said paperwork. What I want to see is the vulnerabilities discovered in your latest externally-vetted pen test and how they were managed without causing regressions in other areas of the business.
Basically, I want to know how and where you’re weak and what you’re doing about it.
No amount of paperwork competes with that.
In my workplace we work to ISO/IEC 17025. We are accredited and get an accreditation certificate because we are formally recognised "by an authoritative body of the competence to work to specified standards"
Certification on the other hand represents "a written assurance by a third party of the conformity of a product, process or service to specified requirements "
Now certifying bodies are in the marketplace to get trade and compete to do so. There's at least 30 listed on the UKAS website for UK organisations to use to be certified to 27001. Assessment bodies, on the whole, are only one or two per country with no poaching across national boundaries where possible.
Whereas I'm in favour of standards as a principle, they act as a barrier against the entry of small companies to the market.
I wholeheartedly recommend simply sending a couple of people on an ISO 27001 Implementer or Auditor course. It's a few days and a couple of thousand pounds well spent
Fine for large corporations, but if you're a startup of two people, working from home seven days a week to get off the ground and living on ramen, then a few days out and a few k just isn't feasible. The problem is that standards tend to get formed from the practices of large companies, and even if they are not consciously trying to shut out disruptive startups, the resultant standards have that effect. What we need are gradual versions of pretty much all standards that increasingly apply as a company grows. Startups get a half page check list of absolute no-nos to work on, with dirt cheap (maybe even pro bono) auditing, working up to the full standard when/if the company hits a certain size or turnover (with clauses to prevent gaming it by splitting into subsidiaries).
I think for this scenario some compliance initiatives have made leeway. PCI and Cyber Security Essentials come to mind, since they allow 'smaller' companies to 'self-certify' as opposed to being externally audited (with the costs that accompany this). It still won't make them secure since they just fill in a questionnaire to say 'All's good here!'..... but at least they get to participate in the compliance fun.
The problem is that standards tend to get formed from the practices of large companies, and even if they are not consciously trying to shut out disruptive startups, the resultant standards have that effect.
I can see the point you're trying to make. The really small business you describe isn't going to have the resources to get certified, and it's not fair.
But it really doesn't have to be just for the big boys. Sure it's not going to work for your two-man shop, working from home and no spare cash, but I used to work for a software company with 80 employees that had ISO 9001 and 27001 (and also 14001, but that basically just means they're good at using recycling bins and not leaving PCs turned on overnight). 80 employees isn't a lot. Sure it's not the tiny start-up you described, but it's hardly a multinational conglomerate either.
There's also no obligation to get ISO certified unless your customers insist on it. The company I worked at had some institutional customers that they would not have been able to work with if they didn't have these certifications, but they didn't start out there; they got plenty of business before they got certified; just not from those particular customers.
What we need are gradual versions of pretty much all standards that increasingly apply as a company grows. Startups get a half page check list of absolute no-nos to work on, with dirt cheap (maybe even pro bono) auditing, working up to the full standard when/if the company hits a certain size or turnover (with clauses to prevent gaming it by splitting into subsidiaries).
This is where I have to disagree with you. The article is about ISO 27001, which is for IT security.
IT security is not something you can be half-hearted about. Not if you're selling to the kind of people who care about this certification.
If you're trying to sell election voting machines to the government, for example, they're going to need to know that you've done everything possible to avoid getting hacked. It's mission critical. You can't tell them you only did the most important bits of your security audit and didn't bother with the rest because you're not big enough to need to do them. Hackers thrive by finding those edge-cases, so if you're selling into that kind of market, your security needs to be solid all the way through.
Seriously; certification is a few grand, not a million bucks. Even the smallest company can afford that if its a necessary requirement for them to do business in their chosen marketplace.
I understand the point you're making, but I'm not comfortable with it. After all we wouldn't be saying "oh well, they are just a small company, they shouldn't have to adhere properly to the standards for tcp/ip packets" would we?
But if I've got a 5 person business I probably don't employ an accountant full time, and I don't stop running the business and train to become an accountant myself. Instead I probably have someone skilled coming in one afternoon a week to do my books, who is also doing another 9 companies' books on the other mornings and afternoons. Maybe something on the same lines is needed?
If you can't afford to go on the course, then buy a copy of the standard and read it.
Most of the ISO standards have been written to meet or incorporate elements of 9001 for management systems and there's enough free material on that. If you're a small company then you're also small enough to be flexible and change the way you work. Once you have a Quality Management System and have learned to operate to it, you are on the right path.
If you keep your focus narrow then your documentation, auditing and so forth will be simpler than if you offer all things to all men (as the phrase has it). A fair part of an audit is checking that things that ought to have been done, have been done, and that having done them, it's been recorded.
Standards are biased towards large companies
Whereas I'm in favour of standards as a principle, they act as a barrier against the entry of small companies to the market [..] if you're a startup of two people, working from home seven days a week to get off the ground and living on ramen, then a few days out and a few k just isn't feasible. (
You are absolutely correct, but it only takes 3 good coders about 2 months to fix that (so if you're interested, let me know and we'll find a way to get in touch and set it up). Part of the volume problem is the exact standard you're certifying against: 27001 is really only about having systems in place. The one you really need, even as a small shop, is ISO 27002, because that sets out what you actually DO (which then gets recorded in the prescribed 27001 IMSI, which is not what a small outfit needs).
Thus, ironically, the thing you can not certify for is that you actually live 27002 as an organisation because your auditor will only consider the expense of an IMSI and the effort it takes to feed that data as something they can check, which to me is mildly certifiable (yes, yes, I know, don't give up the day job for pun comedy). The initial goal of all this 27000 malarkey was not to enrich auditors, it was to make IT safer for all of us. To me that includes small mom, pop and daughter shops too.
How do I know?
I've been helping companies with good security since BS7799 was still in draft. I still prefer fixing things over being paid to point out minor flaws when it's time for company bonuses - to me, that is an irresponsible approach to corporate security but it's shockingly common.
The ultimate aim is not certification, the aim is to achieve and maintain the best possible security within the available means. The processes for that are within everyone's grasp.
Like a prison in which the guards are hired, paid by, and can be fired by, the inmates, the quality of the guarding will be limited. From time to time, there will be escapes.
This applies to ISO certifications and FEDRAMP, too, where the certifiers must market their services through sales pitches to the ultimate recipients of the "independent" certification.
"FEDRAMP"? I guess from the capitalisation this is another example of the replacement of plain english with pseudo-mililtary jargon to make it look like you're working for the CIA or Special Forces or something, rather than a vendor of office equipment?
... I was employed by a company which was afflicted by compulsive management reshuffles. When it came to their audit for one of ISO 9001's predecessors, the audit team were guided into the conference room, given a folder of useful information and shown a few slides by the senior management team. At which point one of the auditors pointed out that the organisation chart in the folder wasn't the same as the organisation chart in the slide show.
They may still hold the record as the only company ever to get a Category I failure in the first minute of their audit.
Very informative and realistic article. I can attest to excerpt below. I've been involved in several 27k rollouts and discovered that maintaining the cert requires as much or more effort and overhead compared to implementing it. Proper care and feeding is required.
"Although it is not trivial to implement, the difficulty with ISO 27001 is not attaining certification. It is in remaining accredited by demonstrating that you act properly in your day-to-day, business-as-usual operations."