Why certify and what is ISO 27001?

ISO 27001 has become the de facto standard for Information Security Management System certifications. Most other security standards are based on or refer to ISO 27001 at least to some degree. We also see a trend that regulators are keen to use ISO 27001 as a baseline for security instead of inventing yet another new standard for industry actors to follow.

For instance, the Payment Service Directive 2 (PSD2) currently under development had in a draft version a requirement for an ISO 27001 certification in order to comply with the directive. Later on, this requirement was removed in order to keep the directive technology neutral. While ISO 27001 is not a requirement for PSD2, we estimate that future audits in this area will likely be based on ISO 27001 to some degree.

A similar case can be identified in Finland related to the eIDAS regulation (electronic identification and trust services). Finnish Communications Regulatory Authority (Ficora) is the regulatory authority for strong electronic identification in Finland. Originally, they planned to require strong electronic identification service providers to follow ISO 27001. Again, the market objected to the idea that a specific standard should be used. Therefore, Ficora decided to develop their own audit criteria that is based on ISO 27001. Still, the preferred solution is an information security management system in compliance (but not necessarily certified) with ISO 27001. This is spelled out in Ficora’s Finnish Regulation M72/2016 section 4: The identification service provider shall apply the ISO/IEC 27001 standard or another corresponding, well-known information security management standard to the management of the information security…

Cloud Security Alliance chose to build their STAR certification on top of ISO 27001 meaning that an ISO 27001 certification is required before the organization can become CSA STAR certified. For other industries, there are ISO 27002 (set of security controls) adaptations available.

And in Germany, the Energy Act (EnWG) mandates electricity and gas network operators to certify to ISO 27001 by January 31, 2018 which further underlines the role ISO 27001 will play in the future.

All in all, those companies with an ISO 27001 –certified ISMS have had much easier time while being eIDAS-audited than their competitors without. The very same is happening in the German utilities sector. And, if we are not badly mistaken, other industries will follow soon.

While the proliferation of standards starts to pose a problem in different industries, ISO 27001 can help the industry actors in managing the different standards effectively as they typically have a strong link to ISO 27001 and since ISO 27001 supports the idea of selecting security controls from other sources as well. A well-tuned ISMS provides a good basis to manage multiple standards and requirements. The regulators can also make a choice of basing their requirements on ISO 27001 or by creating yet another new standard. Furthermore, it is relatively safe to assume that the above-mentioned proliferation of new security standards in the market is likely to eventually reach a saturation point that will trigger a movement toward more general standards.
While some organizations may hesitate to the idea of voluntarily choosing to comply with a security standard and paying an auditor to check their compliance, one should remember that ISO 27001 is risk-based and can be tailored to fit the organizations business objectives as well as the organizations size, industry, ways of working etc.

As many security standards require full compliance with all requirements before a certificate can be granted (such as PCI DSS), ISO 27001 allows nonconformities to some degree. The important thing is that there is a functioning ISMS that continuously improves itself. Nonconformities are therefore not a deal breaker but a part of normal operations that need to be dealt with in a timely and appropriate manner.

A well selected security auditor provides the organization with valuable observations that keep the ISMS on par with the constantly evolving threat landscape. One could argue that the strength of ISO 27001 lies in its general nature, which serves to provide a solid foundation for other more specialized certifications to build on. Organizations often find that ISO27001 in itself covers a considerable percentage of requirements set in other standards. This also works the other way: if a company has an information security certificate, say PCI DSS, they have taken many steps towards ISO 27001 ISMS.

ISO 27001 certification is already a must-have

An ISO 27001 certification has proven to be valuable market differentiator especially for small companies such as start-ups that provide services that handle confidential information. While the company may not be known to its potential customers ISO 27001 certificate is globally known and accepted. For enterprises, an ISO 27001 certificate (or similar) starts to become a must since most of the competitors are already certified.