According to networkworld.com, nearly half of UK business that have been certified compliant with ISO 27001 are engaged in actions that would make them anything but. In my own experience with drive encryption software, I can see how this can be true.
ISO/IEC 27001:2005-Information technology-Security techniques-Information security management systems-Requirements (commonly abbreviated to ISO 27001, for obvious reasons) is an international standard for information security management. According to Wikipedia, "ISO 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard."
ISO/IEC 27001:2005-Information technology-Security techniques-Information security management systems-Requirements (commonly abbreviated to ISO 27001, for obvious reasons) is an international standard for information security management.
According to Wikipedia,
"ISO 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard."
Of course, as the Heartland Payment Systems fiasco showed us not too long ago, being audited and certified as being compliant doesn't necessarily mean that the data is secure. This, too, is pointed out in Wikipedia, noting that "...the management system for information security is in place, but says little about the absolute state of information security within the organization. Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls."[my emphasis] This is not unusual. For example, I've had firsthand experience with a company that was deploying encryption software on all of their laptops. Now, they got to the point where their laptops were protected with full disk encryption, and I'm sure they reported it as such when an auditor--assuming there was one--came around to do his or her checks. However, it was later found that a significant number of the client's employees were using a temporary username and password that was passed around outside the normal channels used for deploying (this outside channel was an employee in the client's IT department. Why did he do this? We don't know). The end result was that these employees' laptops were not encrypted. Just the fact that all these people used the same temporary username and password would have meant a fail under ISO 27001, for example. Seeing the above, one can see how networkworld.com's reportage makes sense. After all, an audit is nothing but a spot-check, and auditors can't really tell whether, for example, passwords are being shared in the workplace: if the company says its employees don't share passwords, what more can the auditors do? Spring a trap?
Of course, as the Heartland Payment Systems fiasco showed us not too long ago, being audited and certified as being compliant doesn't necessarily mean that the data is secure. This, too, is pointed out in Wikipedia, noting that
"...the management system for information security is in place, but says little about the absolute state of information security within the organization. Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls."[my emphasis]
This is not unusual. For example, I've had firsthand experience with a company that was deploying encryption software on all of their laptops. Now, they got to the point where their laptops were protected with full disk encryption, and I'm sure they reported it as such when an auditor--assuming there was one--came around to do his or her checks.
However, it was later found that a significant number of the client's employees were using a temporary username and password that was passed around outside the normal channels used for deploying (this outside channel was an employee in the client's IT department. Why did he do this? We don't know).
The end result was that these employees' laptops were not encrypted. Just the fact that all these people used the same temporary username and password would have meant a fail under ISO 27001, for example.
Seeing the above, one can see how networkworld.com's reportage makes sense. After all, an audit is nothing but a spot-check, and auditors can't really tell whether, for example, passwords are being shared in the workplace: if the company says its employees don't share passwords, what more can the auditors do? Spring a trap?
The survey quoted in networkworld.com was conducted by Quocirca. It was found that, of the 47% of UK firms claiming compliance with ISO 27001, half of them were engaged in compliance-breaking patterns: Using default username and passwords Access to more than necessary Not monitoring employees' computer use and access Not realizing that privileged users exist (administrators; the CEO who wants it all, despite him being more experienced with an Etch-a-Sketch; etc.) Granted, claiming that one is in compliance and actually being in compliance are two different things, as I've found out when people started calling in to say that their encryption wouldn't let them in (what were they expecting, with their expired temporary creds?) (A simple check with an encryption audit report in AlertBoot vs. their laptop count would have rooted out the problem easily, though.)
The survey quoted in networkworld.com was conducted by Quocirca. It was found that, of the 47% of UK firms claiming compliance with ISO 27001, half of them were engaged in compliance-breaking patterns:
Granted, claiming that one is in compliance and actually being in compliance are two different things, as I've found out when people started calling in to say that their encryption wouldn't let them in (what were they expecting, with their expired temporary creds?)
(A simple check with an encryption audit report in AlertBoot vs. their laptop count would have rooted out the problem easily, though.)
Related Articles and Sites:http://www.networkworld.com/news/2009/102209-almost-half-iso-27001-compliant.htmlhttp://en.wikipedia.org/wiki/ISO/IEC_27001