Navaio is the proud owner of an ISO27001 certificate, but what is there really to be proud of? What does a company benefit from owning this certificate? What is the value of an ISO27001 certificate? This blog will expand on this question from two angles: the value of the certificate from the perspective of the company that is certified and from the perspective of the customer who uses the services of a certified company. Spoiler alert: not all ISO27001 certificates are equal.
When Navaio started in 2017 with a staff of 14 people, the vision and strategy were: grow fast. Since then the number of staff has more than doubled. To stay in control, Navaio set up an Information Security Management System (‘ISMS’). As a small company you might be able to get away with ad hoc decisions and/or somewhat inconsistent information security management. But at a certain point the company will have to professionalize its security management and create policies and procedures to make up a good ISMS.
ISO27001 is a worldwide standard that gives a good overview or starting point. It gives 114 control measures to make sure that the ISMS secures the CIA (Confidentiality, Integrity and Availability) triad of the company. The ISO27001 standard is risk-based. The starting point of the certification for the company is to document the data it owns and in which information systems they are stored. This by itself is already a challenging exercise for many organisations. Based on these findings and the classifying of the data, the company implements policies, procedures and control measures to secure its data.
The second value of the certificate is to demonstrate that Navaio, as an IT security company, takes its own information security serious, and that data are safe with Navaio. Navaio consultants are working for and with some of the biggest companies of the country, also some government institutions, such as government departments and cities. Combine this with the growth of laws and regulations and societal pressure on big corporations, and certifications such as ISO27001 are becoming the minimum standard for IT security companies. An increasing number of IT security related tenders set a ISO27001 certificate as a minimum requirement. This means: owning a ISO27001 certificate or not, opens up or excludes opportunities for a company.
So the worth of an ISO27001 certificate for a company is to improve its ISMS and to attract more business.
Navaio was audited for its certification in the beginning of December 2018 and two days before the Christmas party, we received an early Christmas ‘gift’ by the good news of the auditor that we had been granted the ISO27001 certification. Now the certificate hangs at a visible place in our office.
Value for the customer?
We showed you what the certificate is worth to us as a business. However, since the implementation of the ISO27001 standard is risk-based, how can a potential client know what the certificate is worth for them? In other words: how thorough and extensive was the standard implemented by the company?
In many cases, when you ask for the ISO27001 certification from a service provider, they will send you the certificate as a proof of their certification. What does that certificate tell you about the ISMS of the company? Close to nothing. You will want to figure out what the company has implemented to receive that certificate. You can figure out more about what the certificate is worth by asking the following information about the certification:
- What is the scope of the certification? The certification can be restricted to certain services or locations of the company. You will want to know whether the service you want to acquire is within the scope of the certification.
- Ask for the Statement of Applicability (‘SoA’). The SoA states which of the 114 controls of the standard the company has implemented and which are excluded. The certificate should reference to which version of the SoA the company was audited. Make sure you receive this version. Some companies are not willing to share their SoA because they have also included information about the status of the control in the document. If this is the case, then ask for a copy in which internal information is censored.
If you have any doubt about the authenticity of the certificate, the certificate states which auditing body has granted the certificate. Research the auditing body and make sure the auditing body is accredited. This can be IAF (https://www.iaf.nu/) or an accrediting body of the specific country. In the Netherlands that is the Raad van Accreditatie (RvA, https://www.rva.nl). On the websites of the accrediting bodies you can search for the auditing body. If the auditing body is legitimate, you can contact them and verify the ISO certificate.
Now you have verified the authenticity of the certificate and made sure the certification is about the service you are acquiring, you may want to dig deeper on how certain controls were specifically implemented. The ISO27001 standard includes many aspects such as change management, incident management, access control, patch management, development life cycle, etc. If it is important for your company that change management is well implemented, the ISO27001 certificate shows you that some form is implemented, but not exactly what. So if change management is important to you, you would like to know more details about their change management procedures, on top of asking for the ISO27001 certificate.
To find out what the ISO27001 certificate of your potential service provider is really worth, you will want to research more than just the certificate. Not all companies are excited to share more information with you, but you cán find out the worth of their certificate. If an organization is hesitating to share more information about the certificate with you, this might also be a red flag to consider whether you truly want to partner with this organization.