ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


Does ISO 27001 mean that information is 100% secure?

'By 'Dejan Kosutic on May 02, 2011

You have probably heard that important web services like Reddit, HootSuite, Quora, Foursquare etc. have recently suffered a quite lengthy outage – what you also probably know is that this outage was caused by Amazon Web Services (AWS), their cloud computing service provider. What you probably didn’t know is that AWS is ISO 27001 certified.

But isn’t ISO 27001 a guarantee against such service outages? Didn’t a certification company check the AWS? What’s the point of ISO 27001 if such things can happen?

The answers are: No, Yes, and Lower risk.

Let me explain…

ISO 27001 certification does not guarantee that the Internet service provider is going to have uptime of 100%, or that none of the confidential information is going to leak outside the company, or that there would be no mistakes in data processing. ISO 27001 certification guarantees that the company complies with the standard and with its own security rules; it is guarantees that the company has taken all the relevant security risks into account and that it has undertaken a comprehensive approach to resolve major risks. ISO 27001 does not guarantee that none of the incidents is going to happen, because something like that is not possible in this world.

A certification body (in this case Ernst & Young CertifyPoint) probably did check whether Amazon Web Services complied to the standard and to their own security policies & procedures, including their procedures for incident response and business continuity plans; they should have also checked the AWS risk assessment and whether all the relevant risks were taken into account. However the certification body does not have a crystal ball to predict all the incidents that could occur, neither is that their job – their job is to check whether the company has done its homework – developed a security system.

So the final and the most important question is – what’s the point of ISO 27001 then?

The point is in lowering the risk of doing business. If your company is implementing ISO 27001, that means you will have to consider very carefully what could endanger the confidentiality, integrity and availability of your information; knowing those risks, you need to implement various security measures in order to decrease risks to an acceptable level. If you are doing business with a company that is ISO 27001 certified, you will know that this company has done all that.

Does it mean that ISO 27001 will eliminate all the potential problems? Obviously it won’t. But it will decrease the chances of something like that happening, and if it does happen, the reaction of the company will be much quicker and more efficient, and the damage to the business will be lower.

You can also check out our video tutorial How to Write the ISO 27001 Risk Assessment Methodology (commercially sold video).

  • SriVatsa

    Exctaly ISO27001 does make any company 100% secure , It is important companies reduce risk by complying with other ISO27001 controls . Being external auditor for certification body, I have audited many hunderds of companies and notice by having ISO27001 at least the employees are aware that the data they have needs to be protected .
    A good effort to comply with ISO27001 standard always makes the effort to secure the company worthwhile.

  • Arnold Murphy

    Security is vigilance, taking the precautions necessary to maintain a state and to deter and prevent that state or a portion thereof becoming known to others. Any and all steps In security can be defeated, with effort. Nothing is guaranteed, but following a known process to guide you through securing an environment and its state is a guaranteed method of improving your security stance. If we go through the processes necessary and mitigate known exploitable surfaces all we do is eliminate fear, because we have resources to deal with threats. And by lowering the threat vectors, by being vigilant it is a deterrent to attackers. After all by increasing security you make your company less of a target, and the attacker will go after weaker targets instead. This leaves the highly sensitive information at risk to very sophisticated attackers only, and that is still a considerable problem. So we have to be diligent and patch and upgrade and follow standards that are built from experience and adaptation. Its a certainty that unless the world suddenly becomes incredibly ethical that threats will remain and adapt as well, only a collaborative effort to secure information and resources will work to balance the equation. It is in collaboration on guides like ISO 27001 that we standardize a common defence strategy that captures and learns from the weakest and compromised systems. We can be almost thankful of a certain amount of ignorance and sloth in the industry that forego security measures, they are the immune system of the information collective when they are compromised it leads to immunities and new strategies. In a way the rest of us benefit from those who do not implement procedures and policies to overcome and mitigate threats through such frameworks as ISO 27001.