An Insider’s View of ISO 27001 Certification

Jul 7, 2016

Our Lead Consultant, Colin Brown, has worked with clients seeking ISO 27001 Certification since it’s infancy. He has seen a recent rise in interest in the standard. Marketing Consultant Rob Govier asked some questions, taking advantage of his “insider” knowledge.

You’ve noticed a spike in ISO 27001 Certification. Is this due to high-profile data breaches? Or are clients finally waking up to it’s value?

The high profile breaches have certainly had an impact. Our clients are realizing that a regular and systematic review of security risks isn’t just a “nice to have” item.

But the main driver are clients’ own customers. They are insisting that they control their security risks. So customers are putting pressure on their suppliers. Pressure is applied to gain an ISO 27001 certification. Also, buyers are using ISO 27001 as a differentiator in procurement. Therefore, waiting until you are driven may be an option, but could also mean lost bids and tenders.

Do you think that the whole cyber security issue will get worse before it gets better? The whole BYOD issue seems to be a major threat.

Cyber security is not going to cease to be a problem in the near future. As long as software companies can save money by reducing their pre-release testing, there will be products with vulnerabilities. Link that with the fact that hackers are as clever as software developers, its pretty obvious that every now and then there’s going to be failure. And someone is going to be caught out.

BYOD is not such a problem as feared. But I’m always surprised at how many companies tolerate staff (particularly sales staff) wandering around with confidential sales and pricing strategies on private smart phones. At one time, salesmen had to secretly photocopy information useful to competitors in order to get them their next job. Now they don’t need to bother. The information they need is probably in their phone anyway.

What do you normally find when you do an initial analysis for ISO 27001 certification? Are you often shocked at what you find? What are the common weak spots?

It’s not unusual to find that data backups never leave the site As a result, they would burn with the rest of the premises. It’s also very common that nobody has ever tried to actually test a backup. So even though your failure might not be as catastrophic as a burnt down factory it’s always worth checking that precautions do actually work.

I often see a tendency to “trust” rather than positively verify. –“The MD of the IT service company goes to Rugby matches with the Sales Director, he’s a really good guy. A great laugh, talks about software and servers all the time. He must know what he’s doing.  He’s the expert after all…..”. I wish I had a pound for every time I’ve been told this.  I could also talk about “IT Maintenance” companies run from a garage Server “farms” which turned out to be a single server, with broadband but no fire alarm.  Neither UPS back-up power nor staff to monitor them.

It’s always worth asking your “outsource partner” a few very basic probing questions. You could even visit their premises.

How often do you find that clients are already using “best practice” anyway?

I would say most companies are 70% of the way there already. However, with security, the extra 30% is often crucial, but expensive. Having an unchecked security leak is like having an undetected illness.  The ignorance might stop you worrying but sooner or later it could also kill you.

There’s a “part two” of this interview on the way soon! Meanwhile, Colin Brown is happy to share more of his forthright insights on ISO 27001 Certification. You’re welcome to drop him a line..