Google has proudly told the world its online productivity suite, Google Apps, has gained the ISO's good cloudkeeping seal of security approval, in the form of the ISO 27001 security certification. Eran Feigenbaum, Google Enterprise's Director of Security let us all know the good news on Monday, US time, and named Ernst & Young …
Well done, Google Apps
But, as we all know, 27001 certifies the information security management system - a rather different beast than the underlying technical nuts and bolts of security. Similar to ISO 9000, which doesn't require a defined level of 'quality', just one that's appropriate for the needs of the organisation (and, of course, you must be able to justify your choice of 'appropriate' to the external assessor).
So I hope no-one is thinking they could simply move their systems to Google and sail through a 27001 assessment. There's still the bulk of the work to be done: setting up management processes, conducting risk assessments and threat analyses, etc, etc.
Re: Well done, Google Apps
Sorry, I've no idea how that 'thumbs down' icon got there - that was not what I meant, at all.
What about ISO 27002?
It's all good and well to have a management system in place, but the processes underneath require ISO 27002 certification before the 27001 has any meaning whatsoever.
Besides, that a company is "safe" doesn't mean it respects privacy. It's still a company subject to the US Patriot Act, which suggests it may be of use to a US resident and/or company, but flagged as "avoid like the plague" for aliens (to use that lovely, rather indicative term).
Re: What about ISO 27002?
ISO 27002 is a (pretty good and comprehensive) checklist of security mitigation measures, or 'controls' - some IT technical, others relating to staff and physical security - each of which should be at least considered as part of the information security management system that is 27001. It is not a standard that permits certification.
Yep. ISO 27001. Nice. Haven't looked at it for a while, but if it's like the earlier versions, Google can have a very limited security scope (statement of applicability) so it's easy to pass it.
Even apart from that, if the scope is bigger and you have ridiculous measures against risks but you write them up nicely and the auditors in their usual thorough fashion see that these measures are in place... that might still be allowed; i.e., IIRC, those ISO norms only have (mostly good though) suggestions for mitigating risks, but you can substitute your own if you think it makes more sense *cough*or is cheaper*cough*.
Of course, none of this matters, as they are fully certified, by Ernst & Young no less.
Ah well, the joys of ISO auditing ;)
(While - at least the earlier versions I'm familiar with - the standard are quite good as it compels you to think about security, gives best practices for controls and you can customise a solution... you can unfortunately tweak this process a fair bit)
You're right that you can game the system by choosing a very limited scope (!= statement of applicability), and if you're looking for suppliers/partners that meet the standard, you must check the scope statement (which has to be publicly available). One of my customers (quite legitimately) has a scope limited to two isolated servers and their Internet connection.
The drawback is that you can't just assume compliance in the rest of your organisation that is outside your scope. So you have to have formal agreements with the rest of the business that they will meet the requirements of the standard in so far as they provide services to the part that is in scope (eg HR in dealing with vetting joiners, managing leavers etc) - this is nearly as much work as extending the scope (at least for medium-sized organisations that don't have separate HR, IT, Accounts for each division).
As for ridiculously (weak) security - well, if you've conducted a proper assessment and have business sign-off for the risks involved, it's very difficult for an external assessor to say (in effect): I understand your business and systems better than you do and I don't think these are appropriate.
Of course, all security decisions are trade offs (inter alia between direct and indirect costs and the level of security needed). I suppose there may be an organisation that has no need for confidentiality, integrity or availability of the information they hold, but I haven't come across one.
ISO is a scam
As an internal auditor for years, I can tell you with certainty that ISO certifications are a smoke & mirrors game that does nothing to prove or drive actual quality. What little advantage ISO compliant companies gain is immediately trumped by the bureaucratic leach that is attached to said company. READ: it is a PR ploy and a resource drain. And anybody that knows anything about security aught not be fooled by some ISO goof balls that can't possibly understand real security in the first place.
Re: ISO is a scam
aught - perfectly typed, just using the wrong set of letters. It probably would have passed an ISO quality check.
Re: ISO is a scam
Heh, I've not had any faith in anything ISO since MS were able to push their poorly defined and proprietary OOXML format through the system in an attempt to derail ODF. Reading about that whole process was an eye-opener.
Repeat 100 times:
Certification is not security.
Certification is not security.