» The Five Greatest Myths About ISO 27001

The Five Greatest Myths About
ISO 27001

Contributed By:   Dejan Kosutic

Very often I hear things about ISO 27001 and I don't know whether to laugh or cry over them.
Actually it is funny how people tend to make decisions about something they know very little about - here are the most common misconceptions:

"The standard requires..."
"The standard requires passwords to be changed every 3 months." "The standard requires that multiple suppliers must exist." "The standard requires the disaster recovery site to be at least 50 km distant from the main site."
Really? The standard doesn't say anything like that. Unfortunately, this kind of false information I hear rather often - people usually mistake best practice for requirements of the standard, but the problem is that not all security rules are applicable to all types of organizations.
And the people who claim this is prescribed by the standard have probably never read the standard.

"We'll let the IT department handle it"
This is the management's favorite - "Information security is all about IT, isn't it?" Well, not really - the most important aspects of information security include not only IT measures, but also organizational issues and human resource management, which      are usually out of reach of IT department.

"We'll implement it in a few months"
You could implement your ISO 27001 in 2 or 3 months, but it won't work - you would only get a bunch of policies and procedures no one cares about. Implementation of information security means you have to implement changes, and it takes time for changes to take place.
Not to mention that you must implement only those security controls that are really needed, and the analysis of what is really needed takes time - it is called risk assessment and risk treatment.

"This standard is all about documentation"
Documentation is an important part of ISO 27001 implementation, but the documentation is not an end in itself. The main point is that you perform your activities in a secure way, and the documentation is here to help you do it.
Also, the records you produce will help you measure whether you achieve your information security goals and enable you to correct those activities that underperform.

"The only benefit of the standard is for marketing purposes"
"We are doing this only to get the certificate, aren't we?" Well, this is (unfortunately) the way 80 percent of the companies think.
I'm not trying to argue here that ISO 27001 shouldn't be used in promotional and sales purposes, but you can also achieve other very important benefits - like preventing the case of WikiLeaks happening to you.
The point here is - read ISO 27001 first before you form your opinion about it; or, if it's too boring for you to read it (which I admit it is), consult with someone who has some real knowledge about it. And try to get some other benefits, other than marketing.

In other words, increase your chances to make a profitable investment in information security.