Nowadays ISO/IEC 27001 has (almost) become a commodity product. From its full title in the certificate “Information technology - Security techniques - Information security management systems - Requirements”, we perceive that companies certified with this ISO standard have adopted good management systems capable of holding their information assets secure.
But are their systems 100% safe that as a client you can go carefree in sharing your firm’s data with your vendors?
The fact that the certificate is an internationally-recognized standard and requires a long auditing process does not nullify the chance of loopholes. The tragic Boeing 737 MAX incidents in 2019 teaches us that a safety certification as highly-regarded as FAA (Federal Aviation Administration) authorized an airplane to fly which then crashed twice and killed hundreds on board.
You therefore need to handle the ISO 27001 certified companies with extra care. There are at least 5 characteristics in this certification which are sometimes misperceived or intentionally misused.
1. Not only one organization has the right to issue this certificate
The ISO 2020 Survey records the number of valid ISO 27001 certifications worldwide is as high as 44,499. Companies race for this certification not merely for good IT governance but also for marketing purposes. This leads some to acquire this from unaccredited certified bodies.
As a consequence, you need to find out whether your potential vendor gets this certificate from an accredited body. If your vendor is in the Netherlands, RVA has the list of accredited bodies in the country. If your vendor is in another country, IAF (The International Accreditation Forum) is your source to consult.
2. The certificate valid for 3 years
Since its validity is not permanent, you have to see the expired date and, if needed, inquire about their renewal plan. One should already have a plan when the expiry date is less than 6 months.
3. The system allows for only certain parts, instead of the whole company, to be certified
According to recent research by the University of East London, one of the weaknesses of ISO 27001 is the general misconception that merely the IT department of a firm needs the certification. So you have to look over the scope of the certificate. Make sure that at least the department or service deliverables with whom you make the contract is within the scope.
4. Likewise, the system allows for only several, instead of all, offices in a company to be certified
Then you should pay attention to the location too. Double-check whether the location(s) that you will be dealing with or from where the vendor will deliver their service to you is within the scope of the certification.
5. ISO 27001 permits some controls to be excluded if those are not applicable to the firm
While being flexible is one of the strengths of this certificate, this may create a loophole of insecurity when the exclusion is related with the task you will assign them to do.
For example, one vendor may exclude data encryption in their certification scope (i.e., you can check it in their Statement of Applicability (SoA)). Thus, if you are a financial or healthcare organization where you must ensure the confidentiality of your clients’ data, this is then a valuable warning to you.
Lastly, while ISO 27001 certificate serves as a good security indicator, your common sense in the investigation of your vendor's risk management is vastly desired.