Over the years I have seen an assortment of companies, from tiny to the giant, from aircraft engineering companies to penetration testing and defence contractors. They have all had something in common, ISO 27001 or ISO 9001. The first is an information security framework and the latter a quality management system. Why did they get this externally audited certification? Simple, to tick a box and possibly so they could bid.
ISO 27001 is of course a good benchmark or framework, the problem is it is often audited by governance experts who look for policies and processes not what actual technical security controls you have. 100+ controls exist and it may cover everything nearly possible but specific items are generic. For example, a control states you must use antimalware and have a policy. Would free AVG suffice on all laptops and ClamAV for your servers?
Installing free or licensed antimalware on all endpoints will make an ISO 27001 lead auditor happy and tick his or her’s box but what benefit does it add? Little. Even the best antimalware product does not do much and this has been known for years. Signatures and heuristics catch little. Antimalware, whitelisting and tight inbound & outbound firewall rules would make someone like me far happier.
Over the last five years in different roles I have seen a number of shocking things at “ultra-secure” or ISO 27001 certified companies. Two first hand examples from the United Kingdom and two from Asia are:
- Saas synchronisation service: ISO 27001 certified yet when you dial their phone number it takes you straight into their voicemail service which lets you listen, delete and change settings. Notified them.
- Defence contractor: Recently ISO 27001 certified with a news article on the homepage. Underneath is a link to their webmail platform with just email address & password to login and not even SSL/TLS.
- Cyber security firm: No antispam or antimalware used on file server, mail server and possibly endpoints. Why? Because operating system used are less susceptible than Windows.
- Secure hosting & backup: “ultra-secure” (just the data centre) and offering zero knowledge backup. Fantastic zero knowledge backup is, but maybe not when the username and password is sent using port 80 and no SSL/TLS in sight.
Whatever happened to do as you preach? Few security focused firms and individuals actually do. Unlike myself of course!
Governance can help and has its place but you need technical experts to check and enhance controls. Often ISO 9001 and 27001 is often simply used to win bids with governments, banks, train companies and airlines. If a technical expert actually looked under the hood of one of these firms they may get a shock. Guns* win fights against aggressive and moral-less enemies not paper.
*This is not a plug for the powerful National Rifle Association or Donald Trump!