(N)ever the twain shall meet? -Security and certifications

In the business world, one of the key ways that organizations provide assurance on information security, business continuity and privacy to their stakeholders (i.e. customers, investors or employees) is by achieving certifications like ISO 27001 or ISO 22301 or privacy certifications like ISO 27018.

One of the key questions that we must ask is just how much can organisations and their stakeholders rely on the certifications to get an assurance of real state of security in the organisation?

Let us take an example of an organisation with ISO 27001 certification.

One of the key things to keep in mind is the difference between “an organisation with good security practices with the certification” and “an organisation having good security practices”. The key difference is usually ONLY documentation. A certified organisation typically has to maintain more amount of documentation in order to get certified.

This does not necessarily mean that a certified organisation is more secure than an organisation without certification but having the same level of security controls.

Having been in the industry for quite some time, I have seen some glaring examples of organisations that have certifications but are not secure. Some of these were due to the inherent limitations of the controls mandated by the certification.

For example, ISO 27001:2013 did not have specific controls to address new age risks of Cloud, BYOD and mobile applications. Today, organisational data is exposed to employees who bring their own devices and are very reluctant to allow organisations to install controls on them. Similarly, given the entire information supply chain, it is inevitable that vendors have access to organisational data without the appropriate organisation security controls.

Many organisations turn a blind eye to the risk since it is extremely difficult to implement controls on end user and vendor devices. Even frameworks like ISO 27001:2013 do not address this risk. Hence relying on ISO 27001 for assurance may not be the complete solution.

From the above discussion, it is clear that while certifications may provide some level of assurance, stakeholders cannot rely on them since they do not address all current risks.

There is a need for certifications to move at the speed of technology.

However, the argument against this is that certification standards cannot keep changing. We cannot have a new certification version with every new technology. Certifications like ISO 270001 position themselves as a framework that has to be customised by organisations to address current risks. However, most organizations treat ISO 27001 as a prescriptive standard and only implement controls that are specified in this standard conveniently ignoring new age threats.

It is important that organisations keep reviewing new risks like Cloud, BYOD and mobile and evolve their controls to address these new risks.

One of the certifications that caught my eye over the last year is the UK based Cyber Essentialscertification. This certification is mandatory for any organisation who wishes to do business with the UK government. The interesting part about this certification is that it is pretty prescriptive. It mandates specific controls like minimum OS versions on BYOD devices to access organisation data. What this means is that organisations can no longer conveniently provide access to organisation data to their employees on their personal devices ignoring basic security controls. Cyber Essentials mandates that unless BYOD devices are updated to the latest OS or patch level, they cannot be given access to organizational data.

While this may seem draconian to the lay person, from a security perspective, it is a basic requirement. If the device itself is insecure, applications installed on it (e.g. security software, MDM or DLP software) will also be vulnerable. Many IT/IS practitioners have complained bitterly about these stringent requirements.

However, when we go through a list of controls prescribed in Cyber Essentials, it is very clear that they are required to address risks in the current IT ecosystem, where data is scattered across the Cloud, as well as internal applications, and accessed from both trusted as well as untrusted devices.

This brings us back to our original question. Do certifications actually indicate the true level of security in an organisation?

There can be only a qualified answer for this. If organisations use certifications as a framework to identify threats and implement controls, certifications can definitely help secure an organisation. However, if organisations adopt the approach that is more minimalistic, which means implementing the least number of controls mandated by a certification like ISO 27001, it is neither doing itself nor its stakeholders justice. Referring to a certification like Cyber Essentials can give IT/IT/Risk Management practitioners an idea of new controls that can be implemented in their organisations so that the twain of security and certifications can meet.

(c) 2024 Keith Prabhu

(This article is meant to provoke debate. Please share your views.)

(Keith Prabhu is the Founder & CEO, Confidis. Confidis helps companies in areas of Information Security, Privacy and Business Continuity. In case you need any information security, BCM or Privacy services, please drop me a mail at info (AT) confidis (dot) co)