First of all, I’d like to clarify this is not an article against ISO27001 standard. Personally, I found the standard incredible useful in order to define and implement an ISMS in any organization: it’s well organized, it’s complete and its risk-oriented approach is the smarted approach when you try to maximize your security investment.
However, I do want to trigger some thinking around its certification value. Does it pay back to invest on getting an ISO27001 certification?
If we talk about an organization investing in any certification, then we should try to analyze the business case behind. If we look other certifiable standards such as PCI-DSS, the use business case is obvious. If you are a merchant, your bank is going to request you to be compliant. If you are a service provider, your customer will do so. You need the certification for doing your business, period. If you look at GDPR and being able to demonstrate your compliance and adherence the business case is even clearer.
But this is not what happen with ISO27001. Might be few exceptions where your client requests you to be certified in order to do business, but in my experience, most of the times is just a nice-to-have requirement. If you can show your client that you manage your security following best practices, maybe even following ISO27001 requirements, they will not push you to be certified. And this talking about B2B, because when you are in a B2C then nobody will request you the ISO27001 certification. Never. Consumers don’t care about ISOs. Most of the times consumers even not care about security or privacy, but this is another debate.
The true is that being ISO certified has a high cost. Not only the direct cost of paying for the audits, but moreover the indirect costs because you need to dedicate your precious security resources to perform tasks and keep documentation in order to show your compliance and adherence to the standard. Said in another way, you don’t only need to comply with what the standard requires but you also need to be able to prove it to an auditor in a very rigid way. This can be quite time-consuming, and not the most exciting task for your security geeks. And all this time you invest on paper-work to show compliance, is time that you are not investing on improve your security controls and your security posture.
So my point is, when you consider the huge effort that is required to get and to hold an ISO27001 certification, I think for most of the companies is just a huge waste of resources. If your company is holding an ISO certification, think about it. Does it really pay-back the effort you’re doing to maintain such a certification, or would you find better return of investment if you dedicate the certification time and budget in something else?
Happy to read your comments since I’m pretty sure some of you will not agree with me here!!