July 22, 2019

Last Updated on January 15, 2024

It sometimes happens in the course of supporting clients during ISO 27001 certification projects or other information security assessments that we uncover “check-the-box” documents. For example, these might be policies that were downloaded from the Internet and quickly modified to “simulate” compliance on a Shared Assessments questionnaire or similar vendor self-report survey.
But these “check-the-box” policies are never intended to be approved or implemented. They might identify positions and titles that don’t even exist. The whole point is just to check the box on the survey and get/keep the customer or attestation.
When “check-the-box” documents come to light, we strongly impress upon our clients the perils and likely repercussions of doing this.

For example

If a third-party auditor representing a certification registrar uncovers such a document, they will basically consider it fraud. Repercussions would likely include not certifying the applicant—which is a huge setback given all the time and effort that is put into achieving compliance.
If the auditor involved represents a government regulatory body, such as HIPAA or GLBA, repercussions of uncovering a falsified “check-the-box” document might well include fines and sanctions, along with a finding that the organization is not in compliance with the regulation.
Anytime a “check-the-box” document is put forth as “evidence” of compliance, we as advisors can only recommend appropriate next steps—we’re not judge or jury. It’s up to our client whether they want to use such documents. Our job is to identify gaps within their environment so they can properly implement or maintain their security controls to achieve or maintain certification.
Therefore, we would identify and document the falsified policy as a gap, and further document this could hinder them from obtaining or maintaining certification. This makes it clear that we’ve consulted with them on the matter and informed them of our concerns.
Policies and procedures are a critical step towards ultimately operationalizing a robust and compliant information security control environment that can withstand the scrutiny of audits and meet the contractual demands of customers and regulators—as well as effectively protect sensitive data. Creating and approving these documents should be taken seriously so that the organization accrues maximum value for its efforts.
If you have questions about how best to develop an information security policy or process documentation, or would appreciate help in achieving optimal results with these deliverables, contact Pivot Point Security. We make it simple to know you’re secure and prove you’re compliant.