Reviewing an ISO 27001 certificate: a checklist

The ISO 27001 Certification silver bullet

An ISO 27001 certification is often used by a supplier to assure its customers they take information security seriously. This doesn’t mean that they will not suffer any security breaches but maintaining a well-designed ISMS will decrease the likelihood from happening. And that’s why many organizations rely on an ISO27001 certificate to confirm their data will be safe.

However, let’s not blindly trust that certification logo proudly presented on the supplier’s landing page. Make sure to consider the following when you assess your supplier’s ISO 27001 certification:

1. The supplier’s current certification status, certification history and future plans
2. The Statement of Applicability
3. The scope of the ISO 27001 certification
4. Key third parties used in delivering the purchased services

1.     Certification status: valid

An ISO 27001 certification is valid for 3 years. I’m sure you are going to validate if a supplier is currently certified, but make sure to also consider the past and future:

• A gap in a supplier’s certification status is there for a reason: Were they facing difficulties in renewing their certification? This could be an indication that their ISMS is not well maintained.
• When is the next recertification due? Is the supplier planning on maintaining their certification? Will they make the deadline?

2.     How applicable is the Statement of Applicability?

Part of the mandatory ISO 27001 documentation is the Statement of Applicability (SoA) which determines, for each ISO 27001 Annex A, whether or not they are selected for implementation. And where not selected, a reason why.

But, do you agree with the selection made?

Verify that all controls relevant to the services you purchase from the supplier are selected. Depending on the nature of supplier’s business it might make sense to focus on specific controls – for example a supplier specializing in physical security will put more emphasis on those controls.

And remember, the goal of an ISMS is to manage information security. This doesn’t mean that all the controls are implemented. This cannot be verified through a certificate, but is a question you may want to raise.

3.     Enter Scope

Defining the scope of the ISMS is one of the key steps in getting ISO 27001 certified. A well-defined scope ensures that appropriate controls are selected to safeguard all of an organization’s sensitive information. But an organization is free to decide on the coverage of the ISMS. It can be limited to certain departments, geographical locations or a subset of the organization’s legal entities. That’s why it is important to correctly verify the scope of the certification vs. what you purchase.

The certificate includes a brief description of the scope, but we recommend that you challenge the scope in greater details, to make sure it’s as exhaustive as you’ve assumed, and fully covers the service you are obtaining.

Consider a certification’s scope from a functional and technical perspective:

• Functional:
  • Are all facilities relevant to the service, in scope?
  • What about organizational entities and departments used in the delivery of the purchased services?
  • For example, if you want to purchase a software solution (either on premise or hosted in the cloud) and you notice that they have left their entire Software Development Lifecycle (SDLC) process out of scope, you might want to do some additional follow up.
• Technical:
  • Is the entire ICT infrastructure used in the delivery of the services in scope?
  • Have they considered both on-premise and off-premise (Cloud, etc)?
  • Make sure these include all environments where your data will be stored or is in transit, production and non-production environments from which development and maintenance activities are performed, end user environments and their endpoints (workstations, mobile phones, etc.).
  • And what about workstations? They’re often overlooked. A supplier might have implemented various controls to protect their server environment; if they didn’t implement appropriate controls to protect the workstation from which they administer the server environment, you may have a serious gap in the risk coverage.

Remember that the entire scope should be subject to the external certification audit. In case of doubt, why not pop the question.

Going still deeper, you may want to obtain confirmation that the controls selected in the Statement of Applicability are being uniformly implemented across the entire scope.

4.     Third parties squared

This is basically further extending the scope discussion. An organization may be ISO 27001 certified but if they use a hosting provider that hosts its servers from the basement of “Dave’s mom”: that certification greatly diminishes in value.

When assessing a supplier, consider all key third parties they use in delivering the service and extend the scope of your assessment to include them as well.

At the very least, identify if third parties are involved in:

• The development of software used for the services purchased
• Hosting services for systems used in the delivery of the services
• Maintenance on those systems
• Any other direct or indirect access to your organization’s data

For each of these, make sure to obtain a certificate and… verify it as well! You’re only as strong as the weakest link.

So, what’s in an ISO Certification

As I said in the intro: having an ISO 27001 certification in place indicates that your supplier takes information security seriously, which is a good thing. But make sure to do your own due diligence by checking that the services you’re acquiring are really covered by this certification. Don’t get me wrong here, but in most cases, a supplier didn’t get this certification specifically for you. The only way to make sure is to ask. And make sure to get that in writing 😉.