Having problems with message search?
Starting ISO27001 on a limited scope is perfectly acceptable (actually, recommended), as long as it is considered to be part of strategy that will gradually cover everything.
If there is no plan to move forward, and lots of self-congratulations, then what is being practices is better described as "security theater"
I suspect you will find that changing the status quo is very difficult, specially if the CIO does not get the importance of doing security. (I am assuming the security function reports to the CIO).
Can demonstrating security increase the marketability of your products/services? Will negative security news impact the earnings? These are the only two drivers that the business side will understand. Until you can present your case framed in the concept of money made or lost, there is not much you can do.
I'd say polish your resume, because if you keep pointing out that the whole certification is a house of cards, you are going to be very unpopular with the boss.
Good luck.
Javed
Nigel Beard wrote:
Hi all,
I'm relatively new to an organisation in which the security team has applied ISO27001 to a small portion of the estate (3 applications out of over 400). The CIO regularly says things along the lines of "why am I bothering with this?" and the overall control environment is poor, yet we spend a large amount of cash signing up to gain the certification in areas that I would consider lower risk. Meanwhile, the compliant areas are touted as evidence of progress in the control environment.ÂI would be interested in the group view of the actual business value of signing up to 27001 on a broader basis. In my view, we are likely to be accused by the more "hands on" parts of the IT organisation, such as global service delivery, of being the smart a*ses who tell them that they are doing things wrong. What business value can we legitimately claim we give them through 27001 on selected systems when the overall control position remains weak? Moreover, I have been told repeatedly by my security colleagues that 27001 is not just security, or more precisely,that any type of IT control could be considered a control trying to achieve the ISO objectives of C, I and A. This seems to me to stretch credibility somewhat, especially since we only apply the security parts of ISO. I find the argument that capacity planning is security function pretty tenuous, even if there is a section within 27001 which covers capacity.ÂÂYour views welcomedÂNige.
Offline 
Send Email