Hopefully after reading my last post here, you have a clear understanding that not all ISO 27001 certificates are the same. The scope can vary and not all suppliers understand that they cannot “re-use” their hosting partner’s ISO 27001 certificate to claim that themselves are certified. But then, I have seen several other cases in which handling third party risk management can be challenging when only relying on ISO 27001 certificate:
Compliant vs Certified
ISO 27001 certification is one of the sought after proof of compliance that is getting more traction in the past years, especially for digital and cloud-based service providers. Unfortunately this also brings up the ugly truth of the certification process. Most organizations perceive ISO 27001 certification as the end of the journey, not the means to grow and be mature in Information Security Management System (ISMS), truly protecting customers and business information and assets.
Many organizations are rushing to be ISO 27001 certified because they want to secure those lucrative business deals or new clients. And with the way ISO 27001 audit is generally performed, it is possible for them to be certified only after a few months implementing the ISO 27001 set of controls.
Nothing wrong with it, because unfortunately that is how the compliance industry is running at the moment, but it also means security professionals responsible for third party risk management need to put extra effort than simply feeling OK after receiving a copy of the vendor's ISO 27001 certificate. For example: security questionnaire that is followed by active discussion with the vendor’s technical and security team.
Do you see what I’m trying to emphasize there? Yes, active discussion! Because sending out security questionnaires is not enough. When coupled with active discussions, a security questionnaire is no longer a security theater, but one of powerful tools in managing third party risks.
Based on these discussions, we can get the right “feeling” whether a vendor is indeed compliant with ISO 27001 requirements and principles, or it only “obtains” the certificate for the sake of ticking the box.
Statement of Applicability
Another documentation I personally always ask vendors to submit accompanying their ISO 27001 certificate is the Statement of Applicability (SoA). Interestingly enough, I found that many vendors were surprised by this request because with other buyers, they normally are satisfied with just receiving the certificate.
SoA is as important as understanding the scope of the certification, because SoA describes in detail which ISO 27001 Annex A controls are in scope of the audit, and which ones are not. Tally with the type of online services that the vendor is offering to your organisation, reviewing SoA can be a good indicator whether the ISO 27001 certificate that you have received covers all (or if not most of) elements that are crucial for your organization's needs, or not.