4

I asked my client (a bank) why they don't certify themselves against ISO 27000 standards. The answer was that if they certified, it would increase the risk of being attacked.

Does that make any sense? Can hackers be aware that some particular company is certified? To my mind, if the company does not state it publicly, no one would ever know... Also, since this is a bank, it already inherently possesses some level of risk.

cpast
  • 7,223
  • 1
  • 29
  • 35
ZygD
  • 247
  • 1
  • 2
  • 10
  • 3
    I call BS. It's not even about knowing if an organization is certified. Knowing or not would not make one a target. – schroeder Mar 13 '15 at 23:49

1 Answers1

6

I do not see an increased risk of attack due to being an ISO certified organization.

ANSI (The governing standards body) does not release ISO certified organizations business names. There are organizations that offer you the ability to look up an ISO 27001 certified organization but those organizations have elected to register voluntarily.

I would suspect that another driver (high cost, large time footprint, operational workflow implementation) is behind a lack of desire to become certified.

Citizen
  • 378
  • 3
  • 16
  • 1
    Do other governing standards bodies also not release the ISO certified organizations' business names? I ask, because I'm not from USA so that ANSI would be applicable to us. Or is it the only governing body for ISO? – ZygD Mar 14 '15 at 14:19
  • 1
    ANSI is the only governing body. There are other private organizations that members can join with the purpose of promoting the member status as an ISO certified organization. – Citizen Mar 18 '15 at 15:09