ISO 27001 & ISO 22301

Very often when I deliver free webinars on the topic of ISO 27001 certification, I notice that quite many people expect help with their personal certification related to ISO 27001 while the webinar is focused on certification of organizations.

This kind of misunderstanding is not entirely unexpected since many certifications in the security domain (e.g. CISSP, CISA, CISM) are focused on the certification of persons, and have nothing to do with organizations.

So, is ISO 27001 certification intended for organizations or persons? Actually, both.

Certification of organizations

ISO 27001 is a management standard that was initially designed for the certification of organizations. The system works like this: companies (or any other type of organization) develop their Information Security Management System (ISMS) which consists of policies, procedures, people, technology, etc. and then invite a certification body to check our whether their ISMS is compliant with the standard – this check is done during the so-called certification audit.

If the certification audit is successful, the certification body will issue a certificate which will state that the organization in question is compliant with ISO 27001.

In this case the employees working at that organization are not certified, although it has been confirmed they behave according to the standard. To read more about certification of organizations read this article Becoming ISO 27001 certified – How to prepare for certification audit.

Certification of persons

However, the whole industry related to ISO standards (certification bodies, consultants, training institutions, etc.) soon realized that if there are no qualified employees who would develop and maintain the management system, the whole concept would fail.

Therefore, very much like ISO 9001, ISO 14001 and other management standards, various trainings have been developed for individuals that need to get education for ISO 27001. There are now dozens of different trainings for individuals lasting from a few hours to a few weeks – for an overview read this article: How to learn about ISO 27001 and BS 25999-2. The most recognized trainings are ISO 27001 Lead Auditor Course and ISO 27001 Lead Implementer Course, but only for the former an internationally recognized certificate is issued (under the accreditation of institutions like IRCA or RABQSA).

This way the individuals that attend the training and pass the exam obtain the certificate that is issued to their name. But even if all the employees at a company were certified, this still doesn’t mean that the company itself would get the certificate – there is quite a big difference between certification of persons and organizations.

So ISO 27001 does offer various possibilities for certification, unlike any other standard in the security domain. The best, of course, would be to pursue both certifications – certify your personnel so that they can help your organization develop and maintain an adequate level of security, and certify your company so that the training of the individuals is done systematically and according to realistic security needs.

You can also check out our series of ISO 27001 webinars that will teach you the basics of ISO 27001.

If you think your management doesn’t have a clue what information security is all about, keep in mind that misunderstanding usually goes both ways: management often thinks you have no idea about what is appropriate for the business.

So before suggesting to your management to start implementing your information security / ISO 27001 project, you should learn about your management’s way of thinking. Here are the five main concerns your management will have when you approach them:

Is it really necessary? You have to be prepared to present the main benefits of information security, because otherwise the management won’t understand its purpose. In most cases you can choose among the following benefits: (1) Compliance with various legislation and contractual requirements etc., (2) Achieving competitive advantage in the marketplace, (3) Lowering expenses by decreasing the number of incidents, and (4) Optimizing your business operations by clearly defining tasks and responsibilities. Read more on these four benefits here: Four key benefits of ISO 27001 implementation.

Does it fit into our company strategy? Strategic fit is very important for your top management – one of your management’s primary concerns is how to keep your company competitive for a longer time period. Therefore, you have to do your homework – find out how information security can underpin certain elements of your company’s corporate strategy.

How to decrease the costs? One of the most misunderstood aspects of information security is that most of the problems (i.e. incidents) happen not because of technology, but because of human behavior. Therefore, most of the investments needed will be in defining new policies and procedures, and training and awareness programs which will prevent such incidents from happening – such investments are usually far cheaper than new technology.

Sometimes, investment in technology will also be needed – in such cases you can try to calculate the Return on Security Investment. For instance, you might try to calculate the damage that would be caused by a fire, and calculate the investment needed to prevent such damage. Just be sure not to exaggerate here, because you’ll lose your management’s confidence.

How to make sure we’ve achieved what we wanted? First of all, you need to help your management set very clear objectives – usually, those objectives will derive from the four benefits mentioned above. The second step is to set up a measurement system which will define how to measure whether the company achieved the set objectives; that system must involve clear responsibilities of who will make the reports, in which form, and who is going to read them and interpret them. Finally, a system must be in place to correct all the deviations from the objectives (be sure that such deviations will certainly happen).

What risks are involved? Management usually wants to know what is the likelihood of failure of the investment they have made. Here you need to explain to them the balance between the risks you will identify during the risk assessment and the security measures your company will invest in – the higher the investment, the smaller the chances that something will go wrong. Of course, overinvesting is not a solution, and this is why you need to leave the decision about acceptable risks to the management – your role is to present them the risks and potential security measures in an objective manner. The decision what to do with those risks is up to the management.

The point here is – the problem is not that management doesn’t want to invest in information security, but that it is either uninformed about it, or that you cannot speak the same language with your management.

By understanding the five basic issues your management is concerned with and by establishing appropriate communication with them, you’ll dramatically increase your chances for your information security project.

You can also check out our webinar ISO 27001 / BS 25999-2 management responsibilities: What does management need to know? (commercially sold training).

If you came across both the ISO 27001 and the ISO 27002, you probably noticed that ISO 27002 is much more detailed, much more precise – so, what’s the purpose of ISO 27001 then?

First of all, you cannot get certified against ISO 27002 because it is not a management standard. What does a management standard mean? It means that such a standard defines how to run a system, and in case of ISO 27001, it defines the information security management system (ISMS) – therefore, certification against ISO 27001 is possible.

This management system means that information security must be planned, implemented, monitored, reviewed, and improved. It means that management has its distinct responsibilities, that objectives must be set, measured and reviewed, that internal audits must be carried out and so on. All those elements are defined in ISO 27001, but not in ISO 27002.

The controls in ISO 27002 are named the same as in Annex A of ISO 27001 – for instance, in ISO 27002 control 6.1.6 is named Contact with authorities, while in ISO 27001 it is A.6.1.6 Contact with authorities. But, the difference is in the level of detail – on average, ISO 27002 explains one control on one whole page, while ISO 27001 dedicates only one sentence to each control.

Finally, the difference is that ISO 27002 does not make a distinction between controls applicable to a particular organization, and those which are not. On the other hand, ISO 27001 prescribes a risk assessment to be performed in order to identify for each control whether it is required to decrease the risks, and if it is, to which extent it should be applied.

The question is: why is it that those two standards exist separately, why haven’t they been merged, bringing together the positive sides of both standards? The answer is usability – if it was a single standard, it would be too complex and too large for practical use.

Every standard from the ISO 27000 series is designed with a certain focus – if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; if you want to implement controls, you should use ISO 27002, if you want to carry out risk assessment and risk treatment, you should use ISO 27005 etc.

To conclude, one could say that without the details provided in ISO 27002, controls defined in Annex A of ISO 27001 could not be implemented; however, without the management framework from ISO 27001, ISO 27002 would remain just an isolated effort of a few information security enthusiasts, with no acceptance from the top management and therefore with no real impact on the organization.

You can also check out our webinar ISO 27001 Foundations Part 3: Annex A overview (commercially sold training).