Thursday, February 05, 2015

How do we validate a supplier has ISO 27001?

(c) Scott Adams
Most of the questions we get from our clients about ISO 27001, the standard for Information Security Management Systems, are about how they can implement this standard and possibly achieve certification.  We covered some of that in our previous blog.

The "other" question we get asked less often is "how do we validate a supplier or partner that claims to follow ISO27001 or claims to have been certified now or in the past?"
You may be surprised by the answer.

There is no such thing as a complete, current list of ISO 27001 certified companies.

That's right, it is impossible to obtain a definitive list of companies with ISO certification.

The creation of such a central list has been attempted in the past more than once, and for several ISO standards (notably ISO 9000) but such lists have always been incomplete and prone to going out of date. Part of the reason for this is that there is a competitive market between certification companies, they don't want to share their list of clients, or even indicate how many clients in total they might have, or how many might have once held certification which has since expired. Companies go out of business, get acquired, divested of, and restructured, and all these things mean that an ISO certificate issued in the past, may not count for much in the present unless the certified company has kept up with its maintenance audits (surveillance audits as we call them in ISO-speak).

Your best hope is to speak to the certification body the certificate holder used. For example, BSI allows you to query a certificate number against their database of clients to see if it was issued or is current here. Not all certification bodies have such an online service, and if you don't know who issued the certificate then you are out of luck.

360is is able to perform due diligence against your suppliers and partners to determine the strength of their information security, whether or not they have undergone any formal certification. If their technology, processes, or procedures do not provide adequate protection for your sensitive data, we are able to describe and implement improvements. If you are faced with meeting strict information security compliance targets yourself, we can help your formulate an appropriate response and program of improvements to meet expectations. Talk to one of our consultants.

No comments: