By Angelika Plate, Director of Strategic Consulting, help AG
Independent evaluation of organizations and individuals is gaining more and more importance and popularity. Having an official certification serves as a proof that an organization or an individual fulfills a certain criteria.This added need for credibility most likely results from the wish for more reliability and security when selecting an organization or an individual to perform a certain task. A good example of a certification that is increasingly used around the world as well as in the UAE is certification against ISO/IEC 27001, the information security management system. Certifications against this standard are frequently requested, e.g. when organizations consider working together, when an organization is bidding for a project, or as part of regulations or legislation.
Whilst any of the above, as well as many others, is a good reason for an organization to aim at achieving a certificate, there are two types of approach an organization can take:
The organization can take a very pragmatic approach where all that counts is the achievement of the certification. This should be achieved at minimal costs, in a short time frame and with minimum effort in the organization, and the overall aim is to have the certificate hanging on the wall – a nice picture would be cheaper, and the overall effect on information security could possibly be similar!
Alternatively, the organization can go through all the processes that are required for certification and can use all their efforts in implementing these processes to achieve more benefits than just the certificate (this does still not need to be expensive or take an awful lot of time). The added benefits can be achieved by actively identifying areas where the organization can improve their arrangements for information security, be that on a technical or procedural level, or in information security awareness of their staff, or a mixture of all of these. Once the organization changes its culture towards information security, they will find it much easier to react to incidents and to actively manage information security as part of their business. It will also be much easier for such organizations to maintain the certificate and to continuously improve and update the security solutions in place. This means that – with little additional effort – not only the certificate but also good information security is in place in the organization!
If, on the other hand, you wish to assess which type of organization you are speaking to when they tell you that they are certified, a very good first question to ask is what the scope of this certification is. If an organizations is claiming to be certified but the scope of this certification does not even include their most critical business activities or information, then this might support the assumption that more could be done there for information security. In order to be fair, another good question is why the scope has been selected the way it has been selected. If there is a good business reason for this (e.g. to practice the implementation of the standard at a smaller scope first and having plans to roll it out further later), then this speaks more towards a good implementation of the standard. Any further assessment of the quality of the solutions employed at an organization can only be made when further information is known, e.g. how their employees behave, whether the controls are updated when necessary, or whether regular checks and audits take place.
Finally, you might wonder why all this is not simply regulated by the certification process – in an ideal world, of course, it should be! In reality though, there are some certification bodies and/or auditors that are not perfect and can therefore not act as reliable checking instance. Also, there are organizations that have a reasonable level of information security when actually being audited for their certificate, but afterwards lose interest and their security level decreases quickly.
In summary, when you are looking into certification in your organization, go for the bigger aim and the added benefit of having good information security, and when you are interested in other organizations being certified, take some effort to verify that they deserve their certificate.