Certification finds no basis in legislative or regulatory requirement, so why bother? The best answer is to validate that investment in security controls meets business goals and provides business value. Business value is found in managing business risk, achieving high levels of legislative and regulatory compliance, and managing vulnerabilities and threats. The ISO security standards provide a disciplined approach to information security, business risk management, and compliance management. Certification provides an independent validation that the organization has applied that discipline effectively and proves due diligence on the part of executives and management, that they are addressing the information security needs of
the organization.

The business value of certification includes a disciplined approach that promotes the development of security management processes, methodologies, tools, and templates that may be reused across the organization and through security planning, implementation, operations, monitoring, tracking, and reporting. With basis in an industry standard like ISO, the tracking and reporting tools promote easier audits; this implies less cost of the actual audit and higher likelihood of passing an audit.

So, the benefits would be:

• Established a formal approach to IS
• Raised the internal visibility of IS
• Raised the level of IS awareness
• Proof of robust controls
• Clear focus & control of Risk Management
• Increased customer confidence
• Tangible competitive advantage
• Embedded IS in a process of continuous improvement

But is it really necessary to certify? Wouldn’t it be more useful to comply with the standard?

This depends on the situation. An external auditor is always welcomed because he can see what the internals overlooked. This doesn’t imply certification.

One situation encountered were certification is need is when a business partner is asking this. When you gain access to sensitive information from a partner, the partner needs to know that you can handle it in a proper way. He doesn’t have the time to check and ask for a formal process like ISMS to be in place and assure him that his data is safe.

ISMS should be a implemented in all businesses, but certification is not a must.

Certification against these ISO standards is only defined for ISO 27001, that is, an organization may be certified ISO 27001 compliant. ISO 27001 describes how to build what ISO calls an ISMS. An ISMS is a process to create and maintain a management system for information security. ISO 27001 references details from ISO 27002 and describes how to apply the ISO 27002 security controls; however, the organization is not ISO 27002 certified. By virtue of using ISO 27002 and adhering closely to the guidelines therein, an organization may claim to be ISO 27002 compliant, but without official recognition of this claim via certification.