What benefits have you received from ISO 17799 certification?

Q:What benefits have you received from ISO 17799 certification?
Other then usual (managerial and legal) benefits of getting standards compliant, what exactly have you gained from doing 17799? Would it really improve security for small organizations, or those with distributed working environments?


A: Hi ...,
ISO 27001 certification is very useful for any company whose business requires information security.

What I see in thousands of organizations is the unstructured security practice. Or the malpractice.

This (Information Security) discipline requires maturity like any other and ISO 27001 is a one nice way of getting maturity in practice.

Here are the characteristics of Information Security operations that we see everyday:
Information security operation does not have a clear defined scope (e.g. is accounting in your scope?),
information security does not have well defined process/lifecycle model,
information security operation does not have a risk management model and risk analysis,
information security operation does not have document management,
information security operation does not enforce regular audits,
information security operation does not have metrics and measurement in place..


ISO 27001 like many other security frameworks promotes one main idea; a more secure operation.. You may individually applying one or two of the missing components but having everything organized under 1 framework , having this certified by a 3rd party ha a different value.

Your organization gains a very important thing for information security operation: Governance.
With the certification you and the rest of the world will know the scope, processes, policies, documentation, risk management, audit plans, metrics and measurement, where you can continuously improve your security level.. As you know according to the very basics of information security principles, you cannot improve a system where you do not have a well defined scope, where you do not know the assets and risks and where you cannot measure the metrics.

ISO27001 actually delivers a security program to address your organization’s information security requirements. You can check CMM offerings to value the changes in information security with ISO27001.

My organization gained a lot with the certification in terms of certification and we still do because every year we go through it again.. The certification is not for compliance, we actually improve our security posture and this progress is verified/certified by 3rd party accreditors.

Let me know if you have a specific problem
cheers,
- yinal