Good morning folks,
This is the second posting in a series of 3, as a reminder, Cyril, one of the blog readers, asked an interesting suite of questions:
1. Is there documentation or feedback information on ISO:27001 ISMS implementation within smaller organizations publicly available? (ie: business unit only or department)
2. Could the decision of certifying only a subset of an organization or a smaller perimeter can cause more harm than good or even project an image of irrelevancy for such an endeavour?
3. Do other frameworks are more adapted to such context?
Since we discussed question 1 in the last posting, let’s jump right away to question #2 which is: What is the potential impact in terms of value perception or image when certifying only a subset of an organization?
This question is really interesting. First, as I have discussed in a previous posting on LinkedIn there are many different reasons why companies decide to obtain ISO 27001 certification:
- Marketing
- Better security process
Second, one must know that an early step towards certification is to define the ISMS perimeter (Information Security Management System).
If you carefully and scientifically analyze the potential situation using the following approach:
MIX “First Observation” / “Reason #1” WITH “Observation #2”
It is safe to assume that an organization going for certification with marketing reasons in mind will make an outstanding effort in reducing the perimeter to the smallest possible unit within the organization. This scientific demonstration is also known in lay man terms as the “biggest bang for the buck” :)
The reason why this question is so interesting is that those miss led persons I just mentioned will get the unpleasant surprise of discovering that within a large organization, it is not easy to limit the certification scope to a specific department or a subset of a business since:
- Physical security is managed centrally
- Human resources processes are handled by a specific department and are standardized across the organization
- Access control management (physical, logical, network, OS, DBMS, Applications…) are rarely managed by a single person or department (ie: HR + IT most of the time)
- Corporate email, file storage, backing and printing services are shared corporate facilities and it would be hard to operate it differently than the corporate standard for a single department
- End users are within the scope of certification; therefore, if your system is used by human beings out of your department, you will need some security measures and a security awareness campaign aimed to them.
The list of reason can go on and on but I think you get my point...
With that said, ISO allows you to scale down the certification perimeter to a single business process or a limited perimeter. In my opinion, if you want to do it, there are three good ways of defining and scoping a smaller perimeter:
- A specific office /region / geographical location / country
- A shared service unit such as “information technology” and its datacenters
- A self sustained business process (ie: an off location call centers with their own servers, IT staff and purpose in life, in short, a business within the business)
On the point of
“Would trying to limit the perimeter give a bad image to the initiative?” I think that you can now determine on your own that the result of doing so without taking certain precaution will most certainly have a negative impact, if now on the initiative, on you!
If you make the mistake of not considering that certain controls transversally affect the organization, you won’t succeed, therefore, you will have invested a lot of time, efforts and spend precious organizational budgets to achieve near to nothing.
Yes, the security posture will have improved, but remember one thing: YOU told top execs when selling your project that your success measurement criteria will be the certification proving you did your job correctly…
Note to myself: In a future post, I should take some time to discuss how to sell the project internally and what you can safely promise your management when talking ISO 27001 certifications without shooting yourself in the foot.
I hope this post will help you get a better understanding of the benefit, requirements but also of the potential pitfalls to consider when limiting the perimeter and scope of your certification.
Now readers and fellow bloggers, the ball is in your court! Although I just gave you what I think to be nice property tour, my posting is not a fully detailed answer or analysis of the “perimeter and scoping” nuts and bolts. I didn’t look into all the possible scenarios and constraints, and therefore will ask you to either comment or proposed specific perimeter scoping scenarios you would like to debate on.
Until next time, have a great day :)
Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer