I really enjoyed reading the interview with Adrian Asher in the latest edition of SC Magazine. Adrian is global head of security for Betfair: a company with more than a million registered customers processing as many transactions each day as the London Stock Exchange. I think that's a security challenge most of us would like to get our teeth into.
Adrian mentions an impending ISO27001 audit and it started me off wondering if perhaps I'm guilty of neglecting this important standard. For those of you who are not familiar, ISO 27001 is regarded as the de-facto standard for establishing, maintaining, and improving an Information Security Management System (ISMS). Achieving certification against the standard is evidence of an organisation proving that they take information security seriously
I'm certainly not unfamiliar with the standard, having documented a gap analysis for my organisation a couple of years ago. What I wasn't able to do is build a convincing business case for proceeding with a project to achieve certification. At the time, being ISO27001 certified wasn't viewed as adding value to an organisation that already had in place many mature risk and information security management processes.
I now find myself wondering if this wasn't short-sighted. I've been re-reading the standard and also reading about how others have gone about their own program of certification and the benefits they achieved from it. The aforementioned Betfair, for instance, are reported as now being able to "demonstrate its commitment to the integrity of its information systems, assuring its customers of optimum security for personal details." The CEO of CHKS, a medical consultancy organisation, stated that "ISO 27001 has provided a rigorous standards framework against which we can be objectively measured. We are delighted to have achieved this internationally-recognised certification especially as the role of IT in corporate governance continues to expand". Monitor Media, a solutions development organisation who also achieved certification state "Though we've always taken the issues of information security extremely seriously, it was nevertheless appropriate to invite an external audit from a tough and respected body like the BSI."
There are many more examples I could quote from. In short, the message is that becoming ISO27001 certified is an indication, not only of taking security seriously, but also of following a good process of governance that can be recognised within the business and by customers too. Win win.
There are many other positive reinforcements of the message that certification is a good thing such as the blog posting here from Brian Honan. In fact there appear to be few, if any, down-sides other than managing ones resources sufficiently and making the time to commence a certification project.
So, I'll be thinking about ISO27001 over the coming months and looking for the opportunity within my own organisation. I'll let you know how it goes.