Fact : ISO27001 or any other compliance needs a detailed review of risks which cannot be captured using a mere checklist.
Said by : CEO of an IT services company
“We want to implement ISO27001 but why do you want to know our business and talk to my team? Why dont you guys just send a quick questionnaire. I will have my team fill it up. You just create required documentation and in 15 to 20 days we will be done with it and go for certification audit.”
Myth Debunked With The Fact Below
Any cyber security compliance such as (ISO27001 , HIPAA , GDPR , SOC2 etc), is all about finding risks and mapping those to organization’s processes. This is never going to be possible without understanding the context of organization, including but not limited to the vision of the management and the nature of that organization’s business. Its absolutely important to understand the product or services being offered by the organization, its internal departments and the risks associated with each process. This further helps to know what controls and objectives of the compliance are needed to be implemented.
While implementing a compliance or while performing a compliance audit, if a checklist is used then it fails to understand the deep risks which are inherent in that organization. Using checklist approach defeats the whole concept and purpose behind identifying the risks, which is a fundamental building block of the information security compliances.
Many compliance managers use readymade checklists which is wrong approach. They need to understand the basics of a compliance and curb the habits of using checklists. The checklists can be formed eventually but must not replace the risk assessment approach.
Senior management must update their knowledge about information security. They must open their minds up about compliances such as ISO27001 , as well as the vulnerability assessment penetration testing (VAPT) which is imperative for their corporate networks , web and cloud applications and also the mobile applications . Right approach for companies, is to find a best cyber security vendor company or a top of the class information security consulting partner, and improve their organization’s data security via threat modelling and various other apt approaches.
#cybersecurity #mythbusters #myths #ethicalhacking #datasecurity #ciso #cio #cisos