The Impact Of ISO/IEC 27001:2013 Certification
Last year I had a conversation with a potential new customer where we discussed the Cyber Essentials scheme* and ISO/IEC 27001:2013** certification. The prospect commented “if the supplier has the Cyber Essentials badge, we would be happy as it demonstrates information and cyber security are taken seriously”. The first question I raised was “was this on a self-certification basis or an audited basis?”. The answer was self-certification. This was highly strange in my mind, because to get an ISO/IEC 27001 certification you have to be audited.
I then asked “if the organisation has an ISO/IEC 27001:2013 certification issued by a UKAS approved organisation would this be accepted instead?” Surprisingly the answer was “possibly not”. So I asked “why not?” because the five key controls in the Cyber Essentials scheme are quite clearly directly taken from the standard, so how it isn’t seen as being as strong is a misnomer in my eyes. They responded “if you have ISO/IEC 27001, you can exclude parts of the business so Cyber Essential is seen as stronger.”
In the old ISO/IEC 27001:2005 standard it was possible and quite often did happen, where some organisations excluded parts of their business, and certified the ‘broom cupboard’ then claimed they had ISO/IEC 27001 certification without specifying what it truly covered. This would essentially allow a business to promote their business is ISO certified when in actual fact what was included in the scope didn’t really have any security implications.
As the new 2013 standard and Cyber Essentials scheme beds down, there is bound to be some confusion or misunderstanding. What is clear is that the new ISO/IEC 27001:2103 standard does not allow for exclusions unless under very specific circumstances, so it covers the whole organisation’s ISMS (Information Security Management System).
When leaving some parts of a company out of the scope in the new standard, they have to be treated as an “outside world” entity. This means that that part of the business would have to have their access to the information assets that are within the scope limited, which could create more problems than initially anticipated and isn’t practicable in most instances where you would have employees who are not part of the scope interacting with employees that are part of the scope.
Whilst the Cyber Essentials scheme is a great initiative helping to keep the UK safe in cyber space, going forward I hope there will be more clarity within the scheme because it is only a small part of what the ISO/IEC 27001 international standard certification gives and the added reassurance customers get from using a UKAS certified organisation.
Richard Brown | Information Security Officer
*Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
**ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). ISO International Standards ensure that products and services are safe, reliable and of good quality. http://www.iso.org/iso/home/standards/management-standards/iso27001.htm