isms certification challenges

First Legion Consulting

ISMS Certification Challenges in Ten Minutes (Promise)

Vicente AceitunoISM3 Consortium

November, 2006


ISMS Certification

Why companies go for ISMS certification? The main reason is that they want to show

they are serious about information security This doesn’t necessarily mean that they are

serious about information security.


ISMS Certification

What is certification good for? It is a driver for implementation of better ISM

practices.


ISMS Certification – What is good for?


ISMS Certification - Trust

Establishing trust relationships.



A way to evidence the organization's stance on security; A part of a contract to ensure commitment by one of the

parties to security management; A selling point for vendors; A possible requirement for outsourcing providers; A mechanism to ensure mutual understanding of the

services obtained from an security outsourcing provider. Trust relationships with Third Parties, like Partners,

Customers and Suppliers.


ISMS Certification - Spain

ISMS Certification in Spain. ISO27001: 8 UNE71502 (in Spanish): 30+

Language Issue: Few people over 30 speak English in Spain. This was a major driver for translating and improving a bit BS7799-2 = UNE71502.

Drawback: BS7799-2, UNE71502 and ISO27001 followed one another quickly. This caused confusion in the market.


ISMS Certification - Challenges

Challenges (1/3) Certification doesn’t guarantee performance.

Performance depends on the budget, the capability and the commitment of those involved in running it.

Certification only guarantees that the cause of faults is not poor process design.

Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders.

Bogus certifications might arise from choosing scope and controls to be accredited.



Specification



Different Implementations



If you get the same certificate



For different implementations



The market reputation you will get is that of the worst implementation



Challenges (2/3): Some threats fall out of the scope of information

security:– Human error;– Incompetence;– Fraud;– Corruption.


ISMS Certification – Challenges

Challenges (3/3): Certification alone doesn’t take capability levels

beyond “Managed”:– Undefined. The process might be used, but it is not

defined.– Defined. The process is documented and used.– Managed. The process is Defined and the

results of the process are used to fix and improve the process.

– Controlled. The process is Managed and milestones and need of resources is accurately predicted.

– Optimized. The process is Controlled and improvement leads to a saving in resources.



1. Incidents Happen, ISO27001 or no ISO27001.

2. Security is a negative result (No Incidents equals Security).

3. But if just One Incident happening meant the ISMS has Failed, then all ISO27001 would be Failures.

4. How can you tell a successful ISO27001 from a failed one? Can that depend on a single Incident? How many Incidents are too many?

5. How can you improve cost-effectively an ISMS if you don’t know when good is good enough?


ISMS Certification - Summary

Certification doesn’t guarantee performance.

Bad performers damage the reputation of all certificate holders.

Pick and choose ISMS and narrow Statements of Applicability are a threat for the success of ISMS certificates.

Criteria to determine success or otherwise of ISMS systems are badly needed.

Learn to implement High PerformanceSecurity Management Processeshttp://cli.gs/ism3

Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentationsArticles slideshare.net/vaceituno/documents


ISMS Certification

You can check the information security management methodology ISM3 at: www.ism3.com

THANKS

isms certification challenges

Technology