Post on 26-Jan-2015
description
First Legion Consulting
ISMS Certification Challenges in Ten Minutes (Promise)
Vicente AceitunoISM3 Consortium
November, 2006
First Legion Consulting
ISMS Certification
Why companies go for ISMS certification? The main reason is that they want to show
they are serious about information security This doesn’t necessarily mean that they are
serious about information security.
First Legion Consulting
ISMS Certification
What is certification good for? It is a driver for implementation of better ISM
practices.
First Legion Consulting
ISMS Certification – What is good for?
First Legion Consulting
ISMS Certification - Trust
Establishing trust relationships.
First Legion Consulting
ISMS Certification - Trust
First Legion Consulting
ISMS Certification - Trust
A way to evidence the organization's stance on security; A part of a contract to ensure commitment by one of the
parties to security management; A selling point for vendors; A possible requirement for outsourcing providers; A mechanism to ensure mutual understanding of the
services obtained from an security outsourcing provider. Trust relationships with Third Parties, like Partners,
Customers and Suppliers.
First Legion Consulting
ISMS Certification - Trust
First Legion Consulting
ISMS Certification - Spain
ISMS Certification in Spain. ISO27001: 8 UNE71502 (in Spanish): 30+
Language Issue: Few people over 30 speak English in Spain. This was a major driver for translating and improving a bit BS7799-2 = UNE71502.
Drawback: BS7799-2, UNE71502 and ISO27001 followed one another quickly. This caused confusion in the market.
First Legion Consulting
ISMS Certification - Challenges
Challenges (1/3) Certification doesn’t guarantee performance.
Performance depends on the budget, the capability and the commitment of those involved in running it.
Certification only guarantees that the cause of faults is not poor process design.
Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders.
Bogus certifications might arise from choosing scope and controls to be accredited.
First Legion Consulting
ISMS Certification - Challenges
Specification
First Legion Consulting
ISMS Certification - Challenges
Different Implementations
First Legion Consulting
ISMS Certification - Challenges
If you get the same certificate
First Legion Consulting
ISMS Certification - Challenges
For different implementations
First Legion Consulting
ISMS Certification - Challenges
The market reputation you will get is that of the worst implementation
First Legion Consulting
ISMS Certification - Challenges
Challenges (2/3): Some threats fall out of the scope of information
security:– Human error;– Incompetence;– Fraud;– Corruption.
First Legion Consulting
ISMS Certification - Challenges
First Legion Consulting
ISMS Certification – Challenges
Challenges (3/3): Certification alone doesn’t take capability levels
beyond “Managed”:– Undefined. The process might be used, but it is not
defined.– Defined. The process is documented and used.– Managed. The process is Defined and the
results of the process are used to fix and improve the process.
– Controlled. The process is Managed and milestones and need of resources is accurately predicted.
– Optimized. The process is Controlled and improvement leads to a saving in resources.
First Legion Consulting
ISMS Certification - Challenges
1. Incidents Happen, ISO27001 or no ISO27001.
2. Security is a negative result (No Incidents equals Security).
3. But if just One Incident happening meant the ISMS has Failed, then all ISO27001 would be Failures.
4. How can you tell a successful ISO27001 from a failed one? Can that depend on a single Incident? How many Incidents are too many?
5. How can you improve cost-effectively an ISMS if you don’t know when good is good enough?
First Legion Consulting
ISMS Certification - Summary
Certification doesn’t guarantee performance.
Bad performers damage the reputation of all certificate holders.
Pick and choose ISMS and narrow Statements of Applicability are a threat for the success of ISMS certificates.
Criteria to determine success or otherwise of ISMS systems are badly needed.
Learn to implement High PerformanceSecurity Management Processeshttp://cli.gs/ism3
Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentationsArticles slideshare.net/vaceituno/documents
First Legion Consulting
ISMS Certification
You can check the information security management methodology ISM3 at: www.ism3.com
THANKS