Certification finds no basis in legislative or regulatory requirement, so why bother? The best answer is to validate that investment in security controls meets business goals and provides business value. Business value is found in managing business risk, achieving high levels of legislative and regulatory compliance, and managing vulnerabilities and threats. The ISO security standards provide a disciplined approach to information security, business risk management, and compliance management. Certification provides an independent validation that the organization has applied that discipline effectively and proves due diligence on the part of executives and management, that they are addressing the information security needs of
the organization.

The business value of certification includes a disciplined approach that promotes the development of security management processes, methodologies, tools, and templates that may be reused across the organization and through security planning, implementation, operations, monitoring, tracking, and reporting. With basis in an industry standard like ISO, the tracking and reporting tools promote easier audits; this implies less cost of the actual audit and higher likelihood of passing an audit.

So, the benefits would be:

• Established a formal approach to IS
• Raised the internal visibility of IS
• Raised the level of IS awareness
• Proof of robust controls
• Clear focus & control of Risk Management
• Increased customer confidence
• Tangible competitive advantage
• Embedded IS in a process of continuous improvement

But is it really necessary to certify? Wouldn’t it be more useful to comply with the standard?

This depends on the situation. An external auditor is always welcomed because he can see what the internals overlooked. This doesn’t imply certification.

One situation encountered were certification is need is when a business partner is asking this. When you gain access to sensitive information from a partner, the partner needs to know that you can handle it in a proper way. He doesn’t have the time to check and ask for a formal process like ISMS to be in place and assure him that his data is safe.

ISMS should be a implemented in all businesses, but certification is not a must.

As a side notice, there are questions about CISSP vs CISA. The focus of those two certifications is different. While CISSP is focused on building and maintain security (although is not a technical standard), CISA is more focused on auditing and assessing risks and controls. Your choice of certification should be based on what you really want to work with. If you want to be a security professional, CISSP is the choice. If you want to be an IT/IS auditor instead, then you should take CISA. As I’ve been an IT/IS auditor and now is an IS consultant. There is a lot of knowledge supported by both CISA and CISSP.