ISMS Certification for Outsourced Service Providers
- — 13 October, 2011 11:03
The aim of this article is to provide companies that offer outsourced services, (dealing with the management of information), some tangible, commercial benefits to go down the ISMS implementation and certification path.
Having worked in the security management space for a number of years now I have seen many different approaches to how security is assessed when looking at an outsourced service provider. Like belly buttons, every Information Security professional has an opinion on what provides the best assurance.
My personal belief is that if a company has applied a best practice approach that sucked a lot of brain power out of many people, and is internationally recognised, that’s a pretty good start… enter ISO27001. Although the standard has its critics, it’s hard to argue that in theory, it’s solid. The challenge lies in how it is interpreted and how the ISMS is implemented.
If you want to demonstrate effective security management to your customers and you are considering certification to ISO27001, you would have already read a mass of material. Pretty much every whitepaper, article or brain dump written about ISMS implementation tells you that it all begins with ‘Obtaining business sign off / buy in’, I fully agree with this. Having full commitment and support from management to implement is critical, if you don’t have it you have more chance of pushing that stinky stuff up a hill than getting an ISMS implemented and certified.
Getting Management on board is no cake walk; you will need some strong commercial justification and some flashy PowerPoint skills to get it over the line. I can’t help you with PowerPoint, however here are some commercial points to consider:
Point 1 - Marketing Advantage
Pretty much every company has competition, having an edge is always a good thing. If you work with information and information security is something your customers and/or regulators deem important, having independent verification that information security is implemented and managed against an international standard is a tick in the ‘pro’ column. Quite simply, if you have it, you have a marketing advantage over a competitor that doesn’t.
Application and benefit: Certification can be used on sales and marketing material e.g. websites, brochures, trade events or during sales pitches as something to differentiate your services from a competitor. This is stuff sales people love to leverage and it will give customers (new or existing) some assurance that you are serious about security.
Point 2 - Reduced Customer Initial and Ongoing Due Diligence
Having your information security environment reviewed and/or audited by a new or existing customer ‘SWAT’ team is a normal part of the process these days when information management is involved. 9 out of 10 ‘Audit Checklists’ will be derived from ISO27002 and titled ‘3rd Party Security Assessment’ or something similar. Having an effective ISMS means you can breeze through, I reckon, about 85% of the formidable checklist and move on to more important things like, how much money the deal will bring in or which pub are we going to for lunch.
Application and benefit: The statement of applicability, internal audit reports, metrics, records, etc can be sanitised and provided to auditors for them to review. This will reduce the amount of time (and frustration) your staff will have to spend sitting with auditors to demonstrate compliance with their damn, stinking checklist. You would expect (or demand) that the auditors would review the ISMS material and come back with very specific requests for information or questions.
Point 3 - Reducing Risk and Preventing Incidents
There have been many examples in 2011 where companies have suffered at the hands of an information security incident. If your company deals with other companies or individuals information, the consequences of a compromise (that is made public) could be a major game changer for your business. By applying a business focused, consistent approach to identify and manage Information Security risk allows the right application of control and gives you the best possible chance of minimising the likelihood of an incident. Running the ISMS through is paces, having the Corrective and Preventative procedures firing, and keeping the right people focused is a very effective way to keep incidents at bay.
Application and benefit: Formal identification of Information Assets and a comprehensive and ongoing assessment of the risks related to those assets is pretty much a no brainer, if you are not doing this… well ‘*face palm. If done right this is another sales point for potential customers (along with Point 1). Being up front with customers about how you manage risks and deal with incidents will strengthen their belief that you are a good company to share information with.
Point 4 –Ability to move and swing with External obligations
Although there are some sharp fanged regulatory and legislative requirements regarding information security, they rarely bite unless you really stuff things up. This doesn’t mean they are not important and simply paying ‘lip service’ to them is a wise move. Most of these external requirements call for, or recommend, ISO27001 as an effective way to be ‘complaint’. Aside from this, an effective ISMS will provide a means whereby you have the ability to move and change with any requirement in a measured approach, rather than people running all over the place freaking out about the next new external or internal compliance mandate.
Application and benefit: Being able to adjust your security environment to deal with any type of new requirement is bread and butter for an ISMS. It will save time, effort and money, and again, can be used as a sales lever to customers that are tightly bound by regulation.
One potentially viable point that I didn’t elaborate on is implementing an ISMS because a competitor has. Well, this one I think should be left for last if the others fail. I am not sure it would invoke the right type of response and maybe result in a half baked effort… but hey, if you think different, go for it.
I hope this has given you some ideas to think about regarding getting your ISMS project up and running. There are a mass of other benefits to implementing an ISMS, including but not limited to:
- Justification of security controls and spend
- Alignment with management requirements and resources
- Defined metrics to maintain management support
- Tangible way to show a positive operationally returns on investment.
… however, as mentioned above, this article is to assist with the commercial rationale to implement an ISMS in an outsourced service provider environment. I would recommend tailoring the ‘benefit’ messages to your audience.