The phrase “Small Is Beautiful” is widely credited to by British economist E. F. Schumacher. It has evolved to champion small, enabling and empowering approaches, , in contrast with phrases such as “bigger is better”. A lunchtime conversation today between myself, our Audit Practice Area Manager (PAM), and a client struggling to find the time to address his need to become ISO 27001 certified – really brought this thought home for me.
It became clear during our conversation that our client needed to find a way to reduce the scope to allow him to move towards certification in the relatively compressed time frame that his current contracts stipulate. The challenge was doing so in a manner that would still provide the assurance that his clients sought. For reference, our client provides human resources related business process outsourcing. Our PAM took the interesting approach to segregating the three predominant areas requiring attestation; Data Center (collocation) Security, Systems Security (for the servers operated in the Data Center), and Application Security for the application that the customers use to request/receive services and only pursuing certification on the Data Center (the original approach was to include all of these areas in the 27001 scope) and to use other forms of attestation to address the latter two areas.
On first blush the distinction seems minor, however, from a 27001 certification perspective the difference is immense. Relatively speaking the 27002 controls in scope go from 120 plus to approximately 10 (e.g., the controls relating to 3rd Party Service Delivery Management, External Parties, Incident Response). As the Data center has a SAS-70 that details controls relating to Physical Security, Availability, and Environmental Controls addressing the External Parties and 3rd party Service Delivery is relatively easy.
The key to the success of the approach is clients accepting Credentialed Vulnerability Assessments/Penetration Tests to substantiate the effectiveness of their systems security efforts and Application Vulnerability Assessments/Penetration Tests to substantiate the effectiveness of their Applications Security. As both are widely accepted forms of attestation the likelihood of this is quite high. Longer term the plan is to expand the scope of the 27001 Certification each year to eventually cover the originally planned scope.
So if you’re hard pressed to move towards 27001 Certification rapidly – consider mechanisms to reduce the initial certification scope while still providing the comprehensive security assurance that your clients are looking for.