I attended a workshop the other day, to discuss ISO/IEC 27002.
The discussion came around to the purpose of the document, as this was a workshop with people from ISO there was an element of surprise when many of the attendees highlighted that this document is used as a stand alone guide for Security Management, rather than purely as guidance for the certification to ISO/IEC 27001, and specifically Annex A controls of ISO27001.
I was one of the people who have used it as a stand alone document. However, solely working towards compliance what does it achieve?
Given the 133 controls within ISO/IEC 27002 it gives a very high level view of what subjects should be reviewed or covered in an organisation. However, this is by no means exhaustive, in fact quite the opposite. I would suggest that to inexperienced companies and non-security professionals, this list is "all they need to do."
This, in my opinion is the crux of the matter and why people bemoan compliance. Just to comply in this case means no external verification, but also, in order to meet compliance you may avoid some as they're too hard to do, or not go deep enough on others, then still have the ability to turn and say that "we are compliant with X."
Standards are available for free in some cases and in the case of ISO standards at a minor cost to businesses. For example on iso.org, the 27002 standard costs 210 Swiss Francs which at the time of writing equates to £140, $226 or €175.
Therefore, what is the solution? Is there a solution? As an ISO27001 Lead Auditor it pains me to say, that I think not. The cost of certification is off putting and whilst it does not prevent any breach occurring, over the three year certification period, the level of obeyance to the principles of the standards are tested.
To solely work towards compliance does not involve a constant external check and that to some degree weakens the standard because when the sky falls down around your ears, to say you were compliant, reflects badly on the standard itself.
Balance that against the cost of certification and I can understand why people follow this route.
I think this will be a perennial battle for Security compliance professionals, to use another example, everyone would say that they adhere to the Highway Code here in the UK.
The volume of speeding tickets would call that into question. Are security breaches our speeding tickets?