Posted by: Anil Patrick
ISO 27001, ISMS, security certifications, security policy, scope, SoA
In connection with one of our recent stories, I happened to get a status check on the number of ISO 27001certified organizations in India. Globally, India comes in second when it comes to the number of ISO 27001 certified organizations. Our country has 484 ISO 27001 certified organizations as of January 2010, which is very good news indeed.
Natural curiosity led me to a look at the ISMS scope of these certifications as declared by the companies. It’s quite an interesting read and requires a bit of in-depth examination, but I leave the decisions to your final judgment.
Having said that, it’s essential to point out the importance of statements of applicability (SoA), when it comes to acquiring an ISO 27001 certification. As the knowledgeable will readily admit, the SoA is subject to your convenience in many cases—you admit only to the aspects that you can comply with during audits. The scope of your ISMS will determine how easily and rapidly your organization gets ISO 27001 certified.
A large organization will take years to get completely ISO 27001 certified, if it undertakes a proper scoping exercise. And, India has several examples of such organizations which merit their ISO 27001 medals of honor. These are organizations who’ve won the certification by dint of their sincere efforts.
On the other hand, it’s not very uncommon to see organizations proudly declaring themselves as ISO 27001 certified, even if the actual certification only covers one or two divisions of their entire operations. This achievement is then paraded around in ad campaigns and their like. Such practices ensure that many undeserving organizations wear the ISO 27001 badge for their processes.
Taking such shortcuts is not really serving the cause of information security, is it? Who are we trying to fool?
A junior admin getting certifications with the aid of “brain dumps” is looked down upon in our country. This is largely because the person has managed to boost his CV without the actual experience to be useful in real world environments. So does it suddenly become justifiable if an entire organization fakes it, and gets away with it?