ISO 27001 certification is anything but easy. Nevertheless, security standards create a false sense of security. More standards and protocols do help, but the reality remains that there is no such thing as a guaranteed security level purely based on marking off a checklist.
ISO 27001 is all about recognizing, assessing, and mitigating security risks. Proper information management should remain a constant focus, and ISO 27001 certification is only valid for three years. External auditing ensures that organizations don’t mark their own papers. The standard has been revised several times, with the most recent update in 2022, paying closer attention to cloud security and threat intelligence. Above all, business continuity is assigned as the key target, both in the real world and to get certified. The ISO 27001 standard is intended to stay up to date, so expect expansions to it someday.
Ultimately, ISO 27001-certified companies must establish, implement, and continuously improve an Information Security Management System (ISMS). They must identify risks, improve policies where necessary, train staff, use encryption, and secure their network. How exactly this should be done is not specified in detail. Don’t expect a tailor-made list for every conceivable company; there are other standards that come close to achieving that, and they are often based on ISO 27001.
Alternatives, variants, and extensions
Despite the fact that the International Organization for Standardization (ISO) is a leading authority on security matters, there are other standards that, depending on the specific situation, are at least as important. For example, American organizations often rely on SOC 2; opinions are divided as to which of the two is stricter or more difficult to achieve, but their criteria overlap. SOC 2 revolves around a report (and isn’t a certification) and consists of two types. Only Type II revolves around the practical functionality of security policy and takes months to complete; Type I is a snapshot.
Outside of ISO 27001 and SOC 2, there are countless other standards and frameworks for measuring an organization’s security level. The fact is, however, that from a business perspective, these standards revolve around who cares about them. Just as national legislation based on the NIS2 directive determines which security policies organizations in the EU must comply with, ISO 27001 compliance is simply a regular requirement. This is in contrast to proposed alternative protocols, frameworks, or “baselines” that are not on organizations’ wish lists for their suppliers. In fact, a list such as the Minimum Viable Security Product (MVSP), set up by Google, Salesforce, and Okta, among others, includes ISO 27001 as a requirement if ‘relevant’.
Food for thought
Whether ISO certification itself or compliance with a derivative is at play, the words in these standards alone are only an indication of the philosophy behind them. To be truly secure, an organization should not just think about compliance in order to “tick off” security. Nevertheless, vendors such as Synology know that a certificate makes a product usable for a particular sector. For this party, which today announced its ISO 27001 compliance, the word ‘trust’ quickly comes to mind. Synology CEO Philip Wong notes that the certification reflects the company’s ‘commitment’ to security. In this case, the ISO certification is also diverse. Not only Synology’s end product, but also its Information Security Management System (ISMS), core infrastructure, development cycle, and security response are ISO 27001 certified.
This example shows that organizations need to look beyond certification. It must be possible to determine exactly which components are compliant: the company itself, the software, the suppliers. Those who fail to do so run the risk of ISO 27001 merely being a distraction from serious security flaws.
In fact, ISO 27001 can safely be considered insufficient if the data is important enough. Legislation based on NIS2 is stricter for critical infrastructure, partly because it is mandatory, while a standard such as NIST 800-53 in the US places more emphasis on continuous security than a single ISO 27001 certification can achieve.
Conclusion: think beyond ISO 27001
Organizations without strict security obligations can still require ISO 27001 certification when selecting vendors or partners. However, it is obvious to focus solely on such a requirement. First of all, even a highly secure company that complies with all security rules can be compromised and leak data. Zero-day vulnerabilities, social engineering, and the paralysis of services with a DDoS attack can never be ruled out. Nevertheless, we cannot assume that an ISO 27001-compliant company is immune. And even if an organization itself meets the standards one would expect, that offers no guarantees about that company’s partners.
ISO 27001 is an abstraction layer and can therefore distract from what’s truly important. And what’s important is that trust in the security of organizations is facts-based. ISO 27001 was conceived as a mold for the right security policy, but that policy remains a human endeavor. The same applies to certification, even though it is assessed by an external party. Stricter protocols are in place to impose even tougher requirements, but they too remain bound by the fundamental limitations of theoretical ideals. No matter how many best practices and rules you establish, they are of little value if the organization implementing them does not consider them important beyond compliance. Try to make that assessment based on certification alone.
Also read: Security vulnerability in TeamViewer bypassed permission checks