I have had a series of conversations recently where the concepts of alignment, compliance and certification of ISO 27001 were very confused. Certification was seen as horribly costly and alignment was held out as a good enough goal that was entirely achievable.
In this particular environment they were already ‘aligned’ and had achieved most of what they needed to do to be ‘compliant’ but were still scared of the impact of certification. I ended up having to come to a common set of definitions of alignment, compliance and certification to explain to a variety of security specialists and business stakeholders what they were discussing to try and defuse the fear that was starting to set in. Here are the definitions I ended up with.
Alignment is an ill-defined concept when it comes to standards. The generally accepted meaning is a stated intent to implement some part of a standard to a level of rigor acceptable to the organisation in question. Alignment to ISO 27001 generally means to follow a risk-managed approach to security with an informally defined information security management system. The scope of the security management system and the risk tolerance when assessing potential controls is unlikely to be well documented and provides little formal assurance internally or externally. The effectiveness of alignment as an approach covers a wide range of results from near-compliance through to wishful thinking. However, alignment is easy to achieve and the costs can be easily controlled.
Compliance generally means that the standard has been adopted by the organisation in scope and implemented in a rigorous manner but that little or no assurance is available for that statement. The bulk of the effort of understanding the organisations risks and ensuring that they are managed in a manner appropriate to the organisation is completed in order to achieve compliance. Compliance is more usually measured when an organisation wants internal assurance that it is following good practice but has no need to provide evidence of that good practice to external bodies or partners. The majority of the business benefits from well-managed security can be achieved through attempting to reach compliance. The ‘level’ of compliance that the organisation is prepared to accept is key to the effectiveness of the security management.
Certification to ISO27001 is a formal certification of an organisations information security management system by an independent and accredited certification body. Certification is a small incremental cost over compliance as the work of achieving compliance is likely already done. However, it can force an organisation to apply rigor to an area of the ISMS that would otherwise not have been addressed and therefore increase costs. In itself certification is a lower cost activity than compliance. Certification can provide assurance to partner organisations and external bodies that a well managed ISMS exists.
More often, I’ve seen ISO27001 compliance achieved only by limiting the scope of what’s being assessed. Doing It Right means extending the scope to cover the whole business which precious few consultancies will point out to clients for fear of sending their customers running and screaming.
‘Aligned’ is a nasty term too – makes it sound as if the business is standing slightly poised next to the ISO 27001 certification entity and smiling weakly.
‘ISO27001 Certification Ready’ is usually a much more management friendly term and most importantly hides the fact that the business often doesn’t have (or is unwilling to create) the evidence to support Certification.
My understanding of certification is that evidence is needed not just of policies being in place but of their effectiveness. That means that controls have to be in place and measurable and regularly measured. As you point out, that can get costly.