ISMS Certification vs Conformity

So, as stated here you can certify against ISO/IEC 27001 only. But why certify? Here are some reasons provided by certification bodies.

Certification finds no basis in legislative or regulatory requirement, so why bother? The best answer is to validate that investment in security controls meets business goals and provides business value. Business value is found in managing business risk, achieving high levels of legislative and regulatory compliance, and managing vulnerabilities and threats. The ISO security standards provide a disciplined approach to information security, business risk management, and compliance management. Certification provides an independent validation that the organization has applied that discipline effectively and proves due diligence on the part of executives and management, that they are addressing the information security needs of
the organization.

The business value of certification includes a disciplined approach that promotes the development of security management processes, methodologies, tools, and templates that may be reused across the organization and through security planning, implementation, operations, monitoring, tracking, and reporting. With basis in an industry standard like ISO, the tracking and reporting tools promote easier audits; this implies less cost of the actual audit and higher likelihood of passing an audit.

So, the benefits would be:

  • Established a formal approach to IS
  • Raised the internal visibility of IS
  • Raised the level of IS awareness
  • Proof of robust controls
  • Clear focus & control of Risk Management
  • Increased customer confidence
  • Tangible competitive advantage
  • Embedded IS in a process of continuous improvement

But is it really necessary to certify? Wouldn’t it be more useful to comply with the standard?

This depends on the situation. An external auditor is always welcomed because he can see what the internals overlooked. This doesn’t imply certification.

One situation encountered were certification is need is when a business partner is asking this. When you gain access to sensitive information from a partner, the partner needs to know that you can handle it in a proper way. He doesn’t have the time to check and ask for a formal process like ISMS to be in place and assure him that his data is safe.

ISMS should be a implemented in all businesses, but certification is not a must.