What It Means To Be ISO 27001 Certified - Benefits and Potential Payoffs
July 15, 2008
Mark Bernard is the Security & Privacy Officer at Credit Union Central of British Columbia. Today, Mark's credit union is the first financial institution to achieve ISO 27001 certification. Mark discusses ISO 27001 certification and its benefits with BankInfoSecurity.com.
Background: ISO 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO). The certification ensures that effective security controls and policies are in place. The certification process is a measurement of the performance of best security practices and identification of opportunities to improve those practices. It basically involves testing the existence and effectiveness of the information security controls at any given institution.
Benefits/ Payoffs of ISO 27001 Certification-
The Credit Union Central of British Columbia has changed remarkably in its level of security awareness, and the credit union system has gone up substantially. People now recognize the value of, or they are realizing the value of having an information security credential such as this, and it is helping the institution to identify information security issues and address them more effectively.
As an institution in general, the culture has benefited as well. It's more focused on information security now and the identification of assets and how the credit union treats assets, threats, risk, and the vulnerability associated to those assets have been very positive.
Such involvement also boosts the team culture that remains, and this team effort can be effectively channelized into other business areas.
The ISO framework provides many of opportunities for improvement and to draw new sets of controls and to manage those more effectively likely than they have been in the past. Also, because the ISO framework already exists the credit union is looking at other standards such as the BS 25999, which is Business Continuity Standard, and integrating those controls within the ISMS.
Becoming ISO certified also made a big difference to the institution economically by reducing the number of external consulting engagements that were necessary, costing hundreds of thousands of dollars. And now the credit union has a bonafide external audit group that comes by twice a year to monitor their activity and provide a list of opportunities for improvement.