Half-a-dozen learning points from an ISO 27001 certification announcement

This morning I bumped into a marketing/promotional piece announcing PageProof’s certified "compliance" (conformity!) with "ISO 27001" (ISO/IEC 27001!). Naturally, they take the opportunity to mention that information security is an integral part of their products. The promo contrasts SOC2 against '27001 certification, explaining why they chose ‘27001 to gain some specific advantages such as GDPR compliance - and fair enough. In the US, compliance is A Big Thing. I get that.

It occurs to me, though, that there are other, broader advantages to ‘27001 which the promo could also have mentioned, further valuable benefits of their newly-certified ISMS.

I spot at least six general learning points here for organisations currently implementing ISO/IEC 27001:

1. Elaborating on the broad business benefits of ‘27001 can be a creative and valuable activity in its own right. A well-designed and effective ISMS can achieve way more than protecting the confidentiality, integrity and availability of data, or satisfying GDPR and other compliance obligations. Although PageProof hints at some, it’s unclear whether they truly appreciate its full potential but chose not to mention them in this promo.
   
   
2. The eventual marketing/promotional value of ‘27001 certification is worth thinking-through. From the audience's perspective i.e. the organisation’s third party stakeholders (particularly customers and prospects, plus partners, owners, regulators and other authorities), what worthwhile differences can they expect as a result of the certification? What are the main points that will truly resonate? How will successful certification be promoted, and how will it change the organisation’s ongoing marketing, promotional and advertising activities - plus its operations (in order to satisfy if not exceed the market's expectations)? Rhetorical questions such as these may be raised and discussed at any point, ideally starting early-on in the ISMS design and implementation project, and gradually refined in the run-up to certification.
   
   
3. Likewise, what about the internal corporate stakeholders - the managers, staff, contractors, consultants, interns etc.: how will the ISMS implementation project affect the workforce? What changes can they expect? What practical differences will the ISMS make? How can they get involved and help the process along (or at least avoid inadvertenly causing problems)? What are the key messages to be put across through internal communications at all stages of the project?
   
   
4. Combining points 1-3 can help clarify the objectives of the ISMS - not just the detailed information risk and security objectives but more generally the business objectives, the rationale for doing all this stuff. What are the anticipated payoffs? Which of those benefits would be in, say, the top five?
   
   
5. Those clear objectives, in turn, suggest some obvious metrics to drive their achievement. For example, if 'reducing compliance costs' is one of five key objectives of '27001 certification, there are various ways to measure and control those costs: what would be the ultimate compliance-cost-related metric to track, report and optimise? Congratulations: you've just identified an important security metric - a Key Performance Indicator if you prefer!
   
   
6. Certification marks the end of ISMS implementation and the start of routine operations. Once operational, certified and announced to the world, the ISMS should continue adding value, the very reason for its existence. Will any of the business objectives, and hence the metrics and KPIs, change markedly at that point, or will they evolve gradually through business-as-usual? Are there any implications worth taking into account in the ISMS design - for instance, ensuring that the 'security dashboard' can be updated to show new metrics or present KPIs differently? What about 'instrumenting' various security processes and systems now, generating the raw data for historical analysis even though that may not be needed until later on?
   

All in all, six stimulating points drawn from a quick read of a promo. Thanks for the inspiration, PageProof, and congrats on your certification.

Oh and there's a free bonus. Point 7: we can all learn stuff from those who go before us. Find out and think about other organisations' approach to information risk, security, privacy, compliance, governance, metrics, incidents, marketing, whatever. Would their strategies be applicable to our organisations? What would we do differently? Could we do even better?

POSTSCRIPT: if your organisation is so spooky or shy that it wouldn't even consider a press release or displaying its shiny new certificates on a website, you might instead think forward to how certification would be announced internally, confirmed to management at least. The things that are important enough to state then are [some of] the key objectives for the ISMS, worth bearing in mind now.

If it hadn't even occurred to you to promote your eventual certification, I'd have to wonder about your management's understanding and commitment to this initiative, and question your motivation for getting into it. Why bother? What will certification achieve, for the business - seriously, what? Isn't that worth celebrating, once achieved?