"How can we be compliant with ISO 27001?"
"I think we are compliant with this security control requirement, but why our auditor still give us audit finding note?"
"Which framework is the best for information security: ISO 27001 or NIST or COBIT?"
These three questions are just few examples of what I received from many colleagues and what I read in many discussion forums over the past 10 years working in the area of IT assurance, security and risk management. Many of them believe that being compliant to one or more regulatory or de-facto standard requirements is the goal to be achieved. It is a good goal… but I personally believe that it is not the ultimate goal management should strive for in any sectors. When it comes to information security, being secured… being able to protect customer and business information… is the ultimate prize we as professionals should focus on.
" Being compliant does not mean we are secured, but being secured most of the time shows that we are compliant"
You can argue that this is a wrong statement to make, but here is my case point: When I studied various frameworks in the information security world like NIST, ISO 27001, and COBIT, I came to a conclusion that all these frameworks (and other frameworks alike) are designed with good and positive intention to give that security assurance. None of the authors would think otherwise. So the principles are intrinsically good… no need bring all the drama and "cult"-like discussion arguing which framework is the best! When we implement these basic principles (that's how I always see them, basic minimum principles) and continuously improve the way we work every single day, then we can be more comfortable of being secured while not necessarily having the compliancy certification. If we get one, that's good, but again that should not be the goal!
Unfortunately, "business priorities" and other human-error-nature of work ethics leading to where we are at the moment (of the past years in that case). Looking at the many data breached cases happened over the past years, how many of them actually already hanging ISO 27001 certifications on their wall? How many glowing compliancy audit reports (including SOC1/2/3) they collect every year? But still…
So, my point is let's stop arguing and busy shopping the best security framework(s) for our organisations. Window shopping once, choose and implement…and continuously improve the security posture. Focus on the right prize. When reaching maturity level 4 or 5 that's good news, but don't stop there… it's a marathon, not a sprint!
As much as the world are full with business requirements to have one or more security compliance certificates or reports, do that obligation with the goal to show others how you are taking protection of customer and business information seriously, not just ticking every single box in any of the frameworks.