When explaining why to certify an international standard focused on the management of risks associated with information security, such as the ISO 27000 series of standards and in particular its certifiable chapter, that is, the ISO 27001 standard, one could start by justifying its position from different angles.
For example, analyzing investment returns in different implementation scenarios, cost advantages, brand recognition, regulatory aspects, relationship between the international standard and other local regulations, showing the synergy between different management systems that are probably already implemented or on track to be implemented as ISO 9000, ISO 14000 or ISO 20000 among others.
We could also start with something much more complex: detailing what are the risks that the standard would help mitigate, from which all other aspects are deduced much more simply.
But why are the risks so difficult to describe? Precisely because they do not stand still, that is, they constantly evolve.
They are always latent, although they are not so easily seen.
In this way, if today, as the standard suggests, we made a list of assets, detailed all the threats that affect them, the vulnerabilities associated with those threats, and finally made an assessment of the resulting risks based on their impact and probability of occurrence, we could ensure that the next day, that valuation would be outdated.
And it is for this reason that the standard begins by defining the management system that will serve as the basis for managing risks, before even beginning to touch on issues related to safety: systematizing the discovery, treatment and mitigation of risks, and sustaining these activities over time, is a necessary condition to be considered "minimally safe", with all the difficulties (and justified criticism) that expressing it in that way could entail.
After having implemented a risk management system, with all the aforementioned considerations, including periodic reviews of a Security Committee that allocates resources, verifies the implementation of controls, promotes continuous improvement of processes, and adjusts organizational policies that complement security measures by incorporating them into a training and awareness plan for all actors that interact with company information, we'll have just a glimpse of what it means to have ISO 27001 in an organization.
This standard relates to all areas and processes of the company, including Human Resources, Technology and Legal, also producing one of the most important cultural (and political) changes of the last 10 years in organizations in general, which is the separation of functions between the areas of Technology and Security, which should ideally report directly to the CEO and / or the Board.
But the objective of the note is not only to talk about ISO 27001, but also about why it is convenient to certify the implementation of the standard: is it that just implementing it is not enough?
From my experience, certification adds a fundamental component, which are external audits: these are carried out (ideally) by professional auditors who day by day gain experience in auditing organizations in different markets, countries and types of business, providing objectivity to the management system implemented through the observations and non-conformities they detect.
In an ISO management system, it is desirable that aspects appear to improve, since otherwise for what one would like to have a system based on continuous improvement, and when only internal audits are carried out, we are missing an unbeatable opportunity to validate the effectiveness of risk management.
Now we can go back to the beginning of the note and list all the advantages that we will surely have after obtaining the certification, being aware that behind a certificate, there are many more benefits for the organization although sometimes: "the essential is invisible to the eyes.
Gabriel Marcos is Product Manager at Global Crossing
Source: iProfesional
