That Our Software Product & Infrastructure is secure?
Sometimes software companies talk about ISO 27001 like a badge that can applied to a product, however the standard defines an Information Security Management System and therefore does not contain specifications for a product.
There are other standards that might be more applicable such as ISO 27018 for protecting personally identifiable information or CSA’s STAR scheme for Cloud based services.
That Our Information is Safe?
Despite this being the ultimate objective of the standard, ISO 27001 provides a risk based approach to information security management, which means the organisation manages risks to an acceptable level – which it defines itself.
By it’s nature, risk is always present and even the most highly controlled environment can suffer a statistical ‘freak’ situation that leads to a data breach.
Having an ISO 27001 system will mean that the likelihood of this is minimal and in the event that a breach does occur, the organisation has established a formal approach to managing the incident, which will minimise the impact of that incident.
That we have applied all the controls in the standard?
Unlike other ISO standards, ISO 27001 is quite specific in its requirements, offering 114 controls and control objectives for the organisation to apply to it’s identified risks.
However, with reasonable justification, the organisation can exclude some of these controls and document that within the Statement of Applicability.
To the outside world it may not be immediately obvious if an organisation has excluded some controls, and which controls those are.
That we have applied best practice of ISO 27002?
It’s not unusual to see ISO 27002 referenced in tender documents, and this can cause confusion.
ISO 27002 provides additional guidance on each of the Annex A controls – however this is considered best practice and not mandatory certification requirements.
ISO 27002 is a useful document, however it’s important to understand from your customer what their information security agenda is.
That everything we do is covered?
As with other management system standards, processes and locations can be excluded from the scope of the certification, however the certificate address and scope statement will reflect this.
As a customer, it’s important to read the wording of suppliers’ certificate scopes and not just take certification for granted.
Our 2014 blog ‘Where’s my data?’ considers the potential issues that arise when data is transferred outside the organisation’s scope.
Conclusion – Information Governance is Key
An ISO 27001 management system will demonstrate your organisation’s commitment to information security and, if used properly, provide a strong framework within which to manage information governance.
However, engaging with the organisation’s stakeholders to determine their security requirements and managing their expectations of information security will prevent potentially damaging incidents in the future.
