Alignment vs Compliance vs Certification

I have had a series of conversations recently where the concepts of alignment, compliance and certification of ISO 27001 were very confused. Certification was seen as horribly costly and alignment was held out as a good enough goal that was entirely achievable.

In this particular environment they were already ‘aligned’ and had achieved most of what they needed to do to be ‘compliant’ but were still scared of the impact of certification. I ended up having to come to a common set of definitions of alignment, compliance and certification to explain to a variety of security specialists and business stakeholders what they were discussing to try and defuse the fear that was starting to set in. Here are the definitions I ended up with.

Alignment is an ill-defined concept when it comes to standards. The generally accepted meaning is a stated intent to implement some part of a standard to a level of rigor acceptable to the organisation in question. Alignment to ISO 27001 generally means to follow a risk-managed approach to security with an informally defined information security management system. The scope of the security management system and the risk tolerance when assessing potential controls is unlikely to be well documented and provides little formal assurance internally or externally. The effectiveness of alignment as an approach covers a wide range of results from near-compliance through to wishful thinking. However, alignment is easy to achieve and the costs can be easily controlled.

Compliance generally means that the standard has been adopted by the organisation in scope and implemented in a rigorous manner but that little or no assurance is available for that statement.  The bulk of the effort of understanding the organisations risks and ensuring that they are managed in a manner appropriate to the organisation is completed in order to achieve compliance. Compliance is more usually measured when an organisation wants internal assurance that it is following good practice but has no need to provide evidence of that good practice to external bodies or partners. The majority of the business benefits from well-managed security can be achieved through attempting to reach compliance. The ‘level’ of compliance that the organisation is prepared to accept is key to the effectiveness of the security management.

Certification to ISO27001 is a formal certification of an organisations information security management system by an independent and accredited certification body. Certification is a small incremental cost over compliance as the work of achieving compliance is likely already done. However, it can force an organisation to apply rigor to an area of the ISMS that would otherwise not have been addressed and therefore increase costs. In itself certification is a lower cost activity than compliance. Certification can provide assurance to partner organisations and external bodies that a well managed ISMS exists.