People & Process Thoughts

Are all ISO27001 certificates equal?

When choosing a supplier that may have any access to your confidential information, it's certainly reassuring if they have ISO27001 certification. Without doubt, maintaining ISO27001 requires significant commitment. It provides reassurance that the company in question are operating a systematic framework to identify, control and mitigate risk and also that they are being audited on a regular basis against a set of best practice requirements compiled by global experts.

But there are 2 camps. Those that seek certification purely because they need the badge. A tick in the box.

And then there are those who either want or need the badge but also that fully embrace the ethos behind the standard. You can't automatically tell who is who.

Bear in mind that identified risks can be mitigated or accepted. You may well find that your risk appetite is lower than that of your potential supplier. What they think is an acceptable risk, may be something you would find inconceivable. Before you decide to take a supplier on face value of having a valid ISO27001 certificate, run through the following points with them:

• What does the scope statement actually say? ISO27001 can be applied to all or part of a business. Make sure it covers the areas relevant to you.
• Who has issued the certificate? A non accredited body may well be reputable, but an accredited body provides independent verification of competence -- a non accredited body really isn't worth the risk.
• Ask for a copy of the Statement of Applicability. This will describe the controls required by the standard, advise you whether they apply to the company and if so, how the requirement is fulfilled. Often, against each requirement, a reference will be made to a particular policy or procedure. For any areas of particular interest, ask for a copy of that policy or procedure and make sure you feel the content addresses your needs.
• Find out about the approach to staff awareness, both for new and existing employees. A signature agreeing to abide by security regulations doesn't prove that any real attention has been taken to educate and inform.
• Visit the premises of the supplier and observe. Can you see evidence of controls in place, for example in the way that your arrival was handled? Do staff appear security conscious? It's the simple things that can be so telling. Are they happy for you to audit them periodically via a site visit should you wish?

So, don't just take ISO27001 as a cast iron guarantee. External assessment visits are after all just a pre-arranged sampling exercise. Ask more of your potential supplier than just a copy of their ISO27001 certificate. If they truly believe in their Information Security Management System, then they'll only be too happy to help.