Does ISO 27001 Mean That Information is 100% Secure?

Tuesday, May 10, 2011

Dejan Kosutic

9259e8d30306ac2ef4c5dd1936e67634

You have probably heard that important web services like Reddit, HootSuite, Quora, Foursquare etc. have recently suffered a quite lengthy outage - what you also probably know is that this outage was caused by Amazon Web Services (AWS), their cloud computing service provider.

What you probably didn't know is that AWS is ISO 27001 certified.

But isn't ISO 27001 a guarantee against such service outages? Didn't a certification company check the AWS? What's the point of ISO 27001 if such things can happen?

The answers are: No, Yes, and Lower risk. Let me explain...

ISO 27001 certification does not guarantee that the Internet service provider is going to have uptime of 100%, or that none of the confidential information is going to leak outside the company, or that there would be no mistakes in data processing.

ISO 27001 certification guarantees that the company complies with the standard and with its own security rules; it guarantees that the company has taken all the relevant security risks into account and that it has undertaken a comprehensive approach to resolve major risks.

ISO 27001 does not guarantee that none of the incidents are going to happen, because something like that is not possible in this world.

A certification body (in this case Ernst & Young CertifyPoint) probably did check whether Amazon Web Services complied to the standard and to their own security policies & procedures, including their procedures for incident response and business continuity plans; they should have also checked the AWS risk assessment and whether all the relevant risks were taken into account.

However the certification body does not have a crystal ball to predict all the incidents that could occur, neither is that their job - their job is to check whether the company has done its homework - developed a security system.

So the final and the most important question is - what's the point of ISO 27001 then?

The point is in lowering the risk of doing business. If your company is implementing ISO 27001, that means you will have to consider very carefully what could endanger the confidentiality, integrity and availability of your information; knowing those risks, you need to implement various security measures in order to decrease risks to an acceptable level.

If you are doing business with a company that is ISO 27001 certified, you will know that this company has done all that.

Does it mean that ISO 27001 will eliminate all the potential problems? Obviously it won't. But it will decrease the chances of something like that happening, and if it does happen, the reaction of the company will be much quicker and more efficient, and the damage to the business will be lower.

Cross-posted from ISO 27001 & BS 25999 Blog

Complete ISO 27001 and BS 25999-2 Webinar Schedule:

ISO 27001

ISO 27001 Lead Auditor Course Preparation Training

ISO 27001 Benefits: How to Obtain Management Support

ISO 27001: An Overview of ISMS Implementation Process

ISO 27001 Foundations Part 1: ISMS Planning Phase, Documentation and Records Control

ISO 27001 Foundations Part 2: Implementation, Monitoring and Reviewing, Maintaining and Improving the ISMS

ISO 27001 Foundations Part 3: Annex A Overview

ISO 27001 and ISO 27004: How to Measure the Effectiveness of Information Security?

ISO 27001 Implementation: How to Make It Easier Using ISO 9001

BS 25999-2

BS 25999-2 Foundations Part 1: Business Impact Analysis

BS 25999-2 Foundations Part 2: Business Continuity Strategy

BS 25999-2 Foundations Part 3: Business Continuity Planning

BS 25999-2: An Overview of BCM Implementation Process

ISO 27001 and BS 25999-2

ISO 27001/BS 25999-2: The Certification Process

How to Become ISO 27001 / BS 25999-2 Consultant

ISO 27001 & BS 25999-2: Why is It Better to Implement Them Together?

Internal Audit: How to Conduct it According to ISO 27001 and BS 25999-2

ISO 27001 / BS 25999-2 Management Responsibilities: What Does Management Need to Know?

How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2

ISO 27001 and BS 25999-2 Strategy

Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process

Risk Management Part 2: Risk Treatment Process, Statement of Applicability and Risk Treatment Plan

Organization of Information Security; External Parties; Raising Awareness, Training and HR Management

Asset Management and Classification

Possibly Related Articles:
18617
General
Information Security
Compliance Amazon Security Audits ISO 27001 Webinar Information Security AWS
Post Rating I Like this!
3c66e7e9308d6d674f331fb1d4507c4d
Franc Schiphorst You forgot one thing. Scope.

If you look at this announcement it does not say much.
http://aws.typepad.com/aws/2010/11/aws-receives-iso-27001-certification.html

This is a nice one and sound like BS to me.
"We don’t disclose every control we have in place, but of course we did consider all relevant guidance documented in 27002 as applicable to our scope covering AWS infrastructure, data centers, and services including EC2, S3, and VPC. As part of the certification process our auditors validated that we addressed all aspects of the 27002 guidance appropriate for our systems and services."
Security through obscurity ;)

And of course if they have their own systems build to be multi zone/datacentre then for THEM (and THEIR ISO27001) the problem aws had will NOT be a risk so it does not need mitigating and so will not be checked against and so will not be covered by ISO27001.

http://aws.amazon.com/security/iso-27001-certification-faqs/
"The ISO 27001 certification covers the security management process over a specified scope of services and data centers"
could not find the "specified scope" online
1305094160
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.