Wednesday, December 15, 2010

Do Your Homework

Every one of our competitors says they perform penetration testing. We’ve found that what they call penetration testing often times is nothing more than a vulnerability scan with automated tools.

Every one of our competitors says they perform information security risk assessments. We’ve found that what they call a risk assessment is really a gap assessment against a suggestive controls framework like NIST 800-53 or ISO 27002.

One of our longtime clients has been closely working with a very large U.S. bank that’s ultimately required them to achieve ISO 27001 certification. In fact, our client isn’t the only one receiving these marching orders. All similar businesses that are partnered with this big bank are being required to certify to ISO 27001, within a certain timeframe.

ISO 27001 certification? That’s a big deal. Big deal as in, you’ll probably have to hire people, build processes, and implement some technology to help build your Information Security Management System (ISMS) and keep it running. It shouldn’t be taken lightly, and when a consulting firm comes along and says they can get you certified for next to nothing, be cautious. While working with our client, they were contacted by another organization that had been approaching all of the agencies that were looking to do business with or partner with this bank.

They offered to perform a risk assessment against the ISO 27002 standard to help our client.
(D.J., please queue the record scratch sound!)

Hold up. Let’s shed some light:
• ISO 27002 is not a standard you certify against, ever. ISO 27002, by definition, “establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.”
• ISO 27002 is used primarily to address risks discovered during or after the risk assessment process, which is just one component of what ISO 27001 requires.
• ISO 27002 doesn’t contain any actual “requirements.”
• Performing a risk assessment alone doesn’t get you certified to ANYTHING.
• ISO 27001 is the standard an organization certifies to. It “specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks.”
• “ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.”

The quotations above come from the International Organization for Standardization (ISO), the body that develops and publishes the documents to which we’re referring.

If you are approached by a consulting firm that throws around acronyms and numbers, and ever uses the word ISO in a conversation regarding professional services, be cautious. For most organizations, the time and costs associated with ISO 27001 certification are much greater than a consulting firm being onsite for a week. The process involves dedicated effort and, most of the time, culture shock.

With this or any professional service offering: ask questions, and do your homework. Certification to or compliance with any standard usually is much more involved than what it appears to be.

By Jason Leuenberger, Manager/Advisory Services

No comments: