What is ISO27001 Certification?
Explaining what makes the ISO27001 standard relevant for information security professionals today. I tell the story of how I took part in an ISO27001 certification process. I share my expert opinion on how this framework can help an organization manage security in a cost-effective way.
The company I have been working for the past 4.5 years recently obtained the ISO27001 certification. It's a pretty cool milestone and I'm glad I got to take a part in that process. Getting a certification like that as part of a cloud-only company with an AI product feels like treading new ground.
Needless to say, as primarily a compliance specialist, my work really starts now. It's cool to get a certification, but this is not a trophy. It's merely making the national team. Now my job is to raise the bar, keep the pace, and ensure everyone stays on board when the spotlight is not there anymore. It's not easy. I'll take that challenge head-on.
Over the years I've grown to love the ISO27001 standard. Why? This is what I propose to you this week: explaining what makes the ISO27001 standard relevant for information security professionals today.
Don't fret. We're not going to dig into the same boring definitions as everybody else. What I want to show you is ISO seen from a practice perspective. We're going beyond the books! Let's see how the referential can make security actions happen in an enterprise setting.
Why would any company want an ISO27001 Certification?
When I was a kid, whenever my parents drove around the industrial part of my town, the concrete, steel, cardboard and textile factories all exhibited an "ISO 9001" banner. Nobody knew what it meant. Everybody wanted it. Turns out "ISO" is an international body which creates standards for everything. ISO 9001 is a standard to show how you manage quality. ISO27001? A standard to manage information security.
Remember the keyword: standard. The concrete factory had its forklifts lined up and checked every week. Its employees wore gloves and helmets. Every brick looked the same. It's exactly the mindset behind ISO.
So why would you want your information security system managed like a concrete factory? One is concrete (see what I did?), the other, abstract. In business, ensuring repeatable, predictable outcomes always triumphs. One executive at my employer said it best: he defines success as "doing what you said you're going to do". Making a million of similar bricks, configuring 40,000 compute servers, and hitting your exact sales goal. Same combat.
Alright now here's the real reason why companies want to get ISO27001 certified: compliance is necessary to do business and establish trust with any partner. Your security actions aren't worth much on the market if you cannot articulate them to some overarching standards and frameworks. ISO certification also means an auditor actually looked at whether you’re doing everything you said you were doing.
But here’s the kicker, what are we saying?
Making security policies matter
When done right, security policies lay down the law. They define what the company expects out of its employees.
They also make our jobs easier in security. Why do you need to do that? It’s long and inconvenient! Well, executives signed a paper that says you do. Want to get paid? That’s the parameter.
You can picture security policies as an interface. Employees don’t need to know ISO intricacies after all. Or any other law or framework for that matter. Good security policies abstract all these away while remaining close to reality.
ISO possesses three strengths when looking at its requirements from a policy perspective:
- It is comprehensive, meaning it covers all areas of information security: funding, HR practices, physical security, cryptography and so on.
- It does not get into the weeds. 114 controls are just enough to pack a punch and not too much to overwhelm. I was involved in a 900 controls audit for a government body. When you have a specific colour for your modem wires, your framework is death by a thousand cuts.
- It is not a technical checklist. ISO asks for a "what" but does not mandate a "how", so it can evolve. Practicians can adapt the technical requirements to their organizations.
But how do you adapt? Based on the notion of risk.
ISO, risks and asset classification
Remember when I talked about forklifts? In the ISO 9001 concrete factory, you can bet every one of them has a little piece of paper on them with their identification number. And the garage has a book with all the inspections with the initials of the mechanics. It's no different in software. Standards.
Asset discovery, labelling, and ownership is the biggest and toughest part of ISO compliance. Yes, this means you have to do that type of labelling and tracking on thousands of servers, applications and computers, which ISO calls "assets". It's easier to miss than a forklift! Merely finding every app running in your ecosystem will require a mix of automation, tribal knowledge, and tiresome manual research.
But with this upfront cost comes enormous positive externalities. Making someone responsible to have laptops inspected, patched and fixed brings clarity and accountability. You can't secure what you don't know exists. And turns out that having a better picture of everything that happens in your information technology environment also makes cost optimization opportunities visible.
Once an organization knows what it has and what matters to fulfil its mission, it can start managing these assets based on their value.
I will not explain risk management or asset classification. This is for another ELI5 article! What I can explain, as part of ISO27001 compliance, is that you need to create a virtuous cycle:
- An Asset gets an owner and a classification;
- A risk assessment evaluates the probability of the asset being compromised, and how much will that cost if it happens;
- Risk management decides how much money to invest to act on that possibility;
- Security policies get updated based on the changes expected from employees;
- Compliance people check whether the changes are implemented;
- Risk assessments get updated based on the findings.
ISO mandates such a circle. This is called an "Information Security Management System" (ISMS) after all, so something must be managed!
ISO27001 compliance benefits and criticism
Every analogy is imperfect. What's the issue with the concrete factory, with its forklifts and helmet-wearing employees? ISO27001 remains flexible. Helmet wearing is binary. There is no such thing as a "helmet" in information security. "Having rocks falling on your head" is easier to evaluate than "a software vulnerability nobody had conceived before".
This flexibility is a double-edged sword. On one hand, ISO triumphs because it allows organizations to perceive security as a business problem, with considerations towards cost-effectiveness and risk-taking, all grounded in governance principles. It's pretty cool for nerds like me! You just don't get the same level of business savviness in something like the PCI-DSS standard, for example, which basically obliges you to do tons of network security activities regardless of their return on investment.
So why am I talking about the double-edged sword? A careless organization can choose to put the bar very low in an ISO setting. An organization, for example, can somehow come up with a rationale about how insider threat is not a problem for them. They could create a lax hiring practice, skip background checks, and could still earn an ISO certification if they put that in a policy, a risk assessment, and employees followed the standard. See, ISO values standards. If you do something stupid, but in a standard manner, you can still earn a certification (in theory at least - auditors do have a good bullshit radar)
But there is worse. After going through the audit both for my employer and for one of its affiliates, the ISO mentality carries an obnoxious bureaucracy bias. It goes beyond what you think. Yes, you need a procedure for every little action, and you need to audit that procedure's effectiveness, which creates piles of papers. But these can actually become useful when you spin them into metrics.
No, I'm talking about real "documents nobody reads", which feel like "meta documents" (documents about documents). For example, to meet certain criteria, one could need to produce a review of the document that explains the brand and the make of the security helmet you wear in the concrete factory. There's a thin line between "being useful" and as we say in French "spinning in a vacuum".
I hope you've enjoyed this description! I'll come back with a "Part 2: One Year later" just to see how my vision has evolved, one year in.