ISMS Certification Challenges

1,289 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,289
On SlideShare
0
From Embeds
0
Number of Embeds
74
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • What is certification good for? It is a driver for implementation of better ISM practices.
  • What is certification good for? It enables establishing trust relationships with Third Parties, like Partners, Customers and Suppliers. A selling point for vendors; A part of a contract to ensure commitment by one of the parties to security management; A mechanism to ensure mutual understanding of the services obtained from an security outsourcing provider. A way to evidence the organization's stance on security; A possible requirement for outsourcing providers;
  • Certification doesn’t guarantee performance. Performance depends on the budget, the capability and the commitment of those involved in running it. Certification only guarantees that the cause of faults is not poor process design.
  • Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders. Bogus certifications arise from choosing scope and controls to be accredited.
  • Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders. Bogus certifications arise from choosing scope and controls to be accredited.
  • Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders. Bogus certifications arise from choosing scope and controls to be accredited.
  • Some threats fall out of the scope of information security: Human error; Incompetence; Fraud; Corruption.
  • How many controls have to fail before an ISMS is called a failure?
  • Some threats fall out of the scope of information security: Human error; Incompetence; Fraud; Corruption.
  • Some threats fall out of the scope of information security: Human error; Incompetence; Fraud; Corruption.
  • ISMS Certification Challenges

    1. 1.  First Legion Consulting ISMS Certification Challenges in Ten Minutes (Promise) Vicente Aceituno ISM3 Consortium November, 2006
    2. 2.  First Legion Consulting ISMS Certification  Why companies go for ISMS certification?  The main reason is that they want to show they are serious about information security  This doesn’t necessarily mean that they are serious about information security.
    3. 3.  First Legion Consulting ISMS Certification  What is certification good for?  It is a driver for implementation of better ISM practices.
    4. 4.  First Legion Consulting ISMS Certification – What is good for?
    5. 5.  First Legion Consulting ISMS Certification - Trust  Establishing trust relationships.
    6. 6.  First Legion Consulting ISMS Certification - Trust
    7. 7.  First Legion Consulting ISMS Certification - Trust  A way to evidence the organization's stance on security;  A part of a contract to ensure commitment by one of the parties to security management;  A selling point for vendors;  A possible requirement for outsourcing providers;  A mechanism to ensure mutual understanding of the services obtained from an security outsourcing provider.  Trust relationships with Third Parties, like Partners, Customers and Suppliers.
    8. 8.  First Legion Consulting ISMS Certification - Trust
    9. 9.  First Legion Consulting ISMS Certification - Spain  ISMS Certification in Spain.  ISO27001: 8  UNE71502 (in Spanish): 30+  Language Issue: Few people over 30 speak English in Spain. This was a major driver for translating and improving a bit BS7799-2 = UNE71502.  Drawback: BS7799-2, UNE71502 and ISO27001 followed one another quickly. This caused confusion in the market.
    10. 10.  First Legion Consulting ISMS Certification - Challenges  Challenges (1/3)  Certification doesn’t guarantee performance. Performance depends on the budget, the capability and the commitment of those involved in running it.  Certification only guarantees that the cause of faults is not poor process design.  Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders.  Bogus certifications might arise from choosing scope and controls to be accredited.
    11. 11.  First Legion Consulting ISMS Certification - Challenges Specification
    12. 12.  First Legion Consulting ISMS Certification - Challenges Different Implementations
    13. 13.  First Legion Consulting ISMS Certification - Challenges If you get the same certificate
    14. 14.  First Legion Consulting ISMS Certification - Challenges For different implementations
    15. 15.  First Legion Consulting ISMS Certification - Challenges The market reputation you will get is that of the worst implementation
    16. 16.  First Legion Consulting ISMS Certification - Challenges  Challenges (2/3):  Some threats fall out of the scope of information security: – Human error; – Incompetence; – Fraud; – Corruption.
    17. 17.  First Legion Consulting ISMS Certification - Challenges
    18. 18.  First Legion Consulting ISMS Certification – Challenges  Challenges (3/3):  Certification alone doesn’t take capability levels beyond “Managed”: – Undefined. The process might be used, but it is not defined. – Defined. The process is documented and used. – Managed. The process is Defined and the results of the process are used to fix and improve the process. – Controlled. The process is Managed and milestones and need of resources is accurately predicted. – Optimized. The process is Controlled and improvement leads to a saving in resources.
    19. 19.  First Legion Consulting ISMS Certification - Challenges 1. Incidents Happen, ISO27001 or no ISO27001. 2. Security is a negative result (No Incidents equals Security). 3. But if just One Incident happening meant the ISMS has Failed, then all ISO27001 would be Failures. 4. How can you tell a successful ISO27001 from a failed one? Can that depend on a single Incident? How many Incidents are too many? 5. How can you improve cost-effectively an ISMS if you don’t know when good is good enough?
    20. 20.  First Legion Consulting ISMS Certification - Summary  Certification doesn’t guarantee performance.  Bad performers damage the reputation of all certificate holders.  Pick and choose ISMS and narrow Statements of Applicability are a threat for the success of ISMS certificates.  Criteria to determine success or otherwise of ISMS systems are badly needed.
    21. 21. Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents
    22. 22.  First Legion Consulting ISMS Certification You can check the information security management methodology ISM3 at: www.ism3.com THANKS

    ×