14

I've been asked why do we trust organizations that certifies ISO 27001? From where did they get the authority and recognition to be able to certify ISO 27001?

For example, I can start a certification business and certify that a company is ISO 27001 compliant. However, I'm not recognized to do that, so my "signed paper" would be useless. However, if BSi certifies it, it's not useless. Hence, why BSi certification worth but mine don't?

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • Trust is a bad word, since you would really have to be stupid to trust them. But as it is, certain institutions are authorized and "trustworthy" by definition, even when they very demonstrably are not (such as the BSI or the BKA which hosts some of the worst criminals in the country). You're not going to change the fact that people want "something official" though. – Damon Apr 06 '14 at 22:48

4 Answers4

16

Certification companies like SGS, TÜV Rheinland or BSI are accredited by accreditation entities to issue ISO 27001 certificates. For example, SGS and BSI are accredited by UKAS and TÜV Rheinland is accredited by DAR.

Accreditation entities perform audits of the certification companies they accredit in order to guarantee that they conform to their accreditation requirements that use to include standards like ISO 19011. If they do not conform, their accreditation may be removed.

Who accredits the accreditation companies? Like other have said, at the end there exist the convention to trust accreditation entities and the system they have developed.

kinunt
  • 2,759
  • 2
  • 23
  • 30
  • 2
    +1 especially for getting to the core of it: "at the end there exist the convention to trust accreditation entities," - that's why they are 'trusted' and not 'proven trustworthy.' It's another faith-based system where we hope there is sufficient oversight to minimize fraud. – CodeShane Apr 06 '14 at 19:44
5

Do you believe in ISO/IEC 27001? Do you accept that a company that is implementing and maintaining a management system based on ISO/IEC 27001 will have effective information security management processes?

If you don't, then its pointless worrying about how we can trust certification bodies, like BSI. A lot of people don't understand the standard in the first place - thinking that it is all about IT, or that if there is a major security incident then the standard, or certification body, have somehow failed.

In fact the biggest problem, in my opinion, is in the implementation and around the inappropriate scoping of the ISMS - most commonly its the inclusion of the IT department at the expense of everything else called the 'actual business'! A true recipe for wasting time and money and one I hope will be less encountered with the release of the 2013 version of the standard.

Put another way, having ISO/IEC 27001 certification doesn't mean that you have good information security, as that will depend on many factors. What it does mean is that the organization has established an ISMS, is implementing and maintaining that ISMS, and that the ISMS is reviewed and improved on a continual basis. The role of the auditor is primarily to 1) check for conformity to requirements, and 2) to assess the effectiveness of the ISMS - i.e. is it consistently achieving its policy objectives.

In certification, you are putting your faith in the abilities of the individual auditors that carry out the audits on behalf of the certifying body. If two different and competent auditors plan and conduct the same audit, both will emerge with different findings. In order to have confidence in this process, you must also understand how it works, its value and its weaknesses.

As was mentioned earlier, national accreditation bodies like UKAS help to give us that confidence by auditing the certification bodies, essentially on our behalf, and removing the accreditation if the certification body is not fulfilling its own management system requirements and complying with standards such as ISO/IEC 17021 (Conformity assessment requirements) - which, for example, requires that certification bodies and their auditors are independent in conducting the audit. How many certification companies do you see that also provide consulting services? Consulting and auditing are two complete opposites, and will invite bias in the audit result. Accredited companies like BSI are not allowed to provide consulting services.

Another important requirement is that certification bodies must have an effective processes in place for selecting and training auditors that ensures the necessary competence - very important as I mentioned since we are being audited by people, and all are different. Good certification bodies will ensure consistency as much as possible, and to a high standard.

So to answer the question, we trust in 'accredited' certification bodies because we understand that they are being monitored by a competent, independent third-party and have to maintain certain standards in order to remain accredited.

Are there good and bad certification bodies? Are there good and bad auditors? YES to both! Its grey, and as mentioned earlier by another poster, its a convention of trust. Ultimately, I think it is the reputation of the certification body that we are looking to for that trust and is the main reason why the original poster's (op) certificate is perceived as being worthless compared to the certificate of the known certification organisation.

One more note on this point, there is no 'requirement' for certification in the standard. Its a choice a company makes for [mostly] outwardly building confidence that they are committed to the process - why I asked in the beginning, do you believe in the process?

Equally, anybody (me, you, and the op) can conduct and certify that a company is conforming to the ISO/IEC 27001 standard - nothing wrong with that, depending on the benefits that the organisation are looking for. Certainly, an 'unaccredited' certificate from the op will not hold much weight in the community view, but bare in mind that it all comes down to the auditor, and there is no reason why the op or anyone else couldn't be sufficiently competent and experienced in conducting ISO/IEC 27001 audits and be in a position to provide great value to an audit client by providing an independent opinion.

Why do we trust in the organizations that certify ISO/IEC 27001? Maybe for the same reasons we trust in SSL Certificate Authorities - Reputation.

Just an opinion..

Lee
  • 71
  • 3
4

Ultimately it's down to trust. Who trusts you to audit against ISO27001?

In the case of BSi, they've established themselves as part of the process (indeed BS7799 which was a BSi developed standard predated ISO27001 and IIRC got effectively turned into ISO27001 when it was first created).

So as part of creating a standard you have to create and manage an audit process to handle certification, so they were/are trusted by groups like the UK government to do that.

Theoretically anyone could come up with their own security compliance standard based on ISO27001, but the problem is, "why would you trust them?"

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
2

The ISO27001 is a standard against which an organization is audited. It is not a pen test or a code review, it is focused primarily on management, policies, etc. It's a third party providing reasonable assurance about the operating effectiveness, controls, etc. at the company. e.g. if an org has been certified, you still would have legal agreements, contracts, etc to manage risk. Trust is no the same as a guarantee.

The organization who wants to be certified also chooses who will audit them. They could hire someone's no-name startup company, but typically they will hire some brand name which has trust and respect in the market for whatever that is worth. Audit and certification firms have reputation. If you require your vendor to be certified, you can tell them you to use an approved list of vendors or could say we won't don't care about your cert because we have no reason to have confidence or trust in the third party who did the review. The third party doing the certification can also be checked for credentials, e.g., ISO/IEC 27001 Lead Auditor.

The point of any type of third party review (SOC1/SSAE16, SOC2, ISO27001, etc.) is to gain some reasonable assurance at a lower cost then going in and doing a full audit on your own. The organization can be reviewed once by a trusted third party using common criteria - otherwise every customer would have to independently audit or review the company: This wastes the company's time and is probably way more expensive for the customer. There is no requirement to trust someone's ISO27001 certification. If it's that important, you can always negotiate to have your own independent review performed using your own criteria.

the
  • 1,841
  • 2
  • 16
  • 33
Eric G
  • 9,691
  • 4
  • 31
  • 58