The Role of ISO Certification in Risk Management

4 years ago

Most IT leaders understand that obtaining an International Organization for Standardization (ISO) certification is table stakes for certain organizations, including data centers. Today, though, the ISO badge can serve a secondary purpose: a framework to guide decision-making as our notion of “business continuity” changes drastically amid the pandemic.

Much as a restaurant’s health inspection grade is not the only factor that affects its quality, an ISO certification cannot be the endpoint of an organization’s risk mitigation strategy. IT leaders who treat ISO certification as a foundation, rather than an endpoint, will be well prepared to handle the “new normal” of continual disruption. (Source)

ISO Certification

Adopting an “excessively concrete” definition of business continuity, Risk Management Principle 4 refers to “organizations’ capacity to plan for, prepare for, respond to, and recover from potentially disruptive events in the least disruptive manner possible.” This description of a constantly evolving threat landscape is what has led many organizations to the conclusion that CI/CD, or asynchronous deployment of automatic recovery software solutions, is now the new normal.

In the last few years, individuals and organizations have come to understand that the risk of a catastrophic outage has finally far outstripped the risk of a loss in reputation or the headache of back-pedaling from an error, and that managing risk must become an imperative.

In Search of Business Continuity, ISO/IEC 27002:2013 states, “everyone in an organization has a responsibility to translate top-level risk objectives and information security objectives into specific measures for the protection of information and information-processing systems, and to formulate effective controls commensurate with the actual risks.”

ISO/IEC 27002:2013

The actual risks to an organization as a whole should, in theory, be quantifiable in order to prevent threats from happening in the first place. However, the real threat is not an unknown piece of software that will happen to disrupt the network or infrastructure.

Creating a culture of risk awareness requires making transparent each organization’s past success rate of preventative measures and other factors that are unrelated to one’s existing insurance policy and monitoring tools.

Rather, the real threat to a business is the changing perception of business continuity. In the insurance business, this is called the “high severity/low frequency” ratio. According to Jerry DeMuro, Business Continuity Associates’s chairman and a fellow at the University of Texas’s LBJ School of Public Affairs, in the April 2005 issue of Disaster Recovery Journal, “Losses are likely to be catastrophic and to be so infrequently experienced that organizations may have difficulty assessing their insurance needs.

The most relevant exception is the loss of system availability, which occurs on a daily basis, but almost never impacts the organization for more than a few hours.”

Choosing the right IT infrastructure should be decided by IT leaders based on the potential benefits to the organization in terms of revenue, ability to attract and retain customers, and, ultimately, its long-term viability. While safety is an intrinsic good, safety alone will not win business; neither will speed.

Applying this lens to ISO Certification, we find that “excessive” adherence to best practices, i.e., the glacial moment-by-moment implementation of the industry’s long-held and well-understood solutions, is no longer effective in the face of our changing sense of business continuity.

The Role of ISO Certification in Risk Management

ISO certification should be viewed as the means by which an organization can quantify its readiness to act and respond to a trigger event and perform a high severity/low frequency action. Risk Management Principle 5 refers to “the use of risk assessment techniques to prioritize risks, which are the combination of the likelihood and the impact of a hazard, and the assessment of the adequacy of risk mitigation measures.”

This means that our organization’s hard drive hardware specifications, server software, authentication, authorization, and directory service may all be central to our risk mitigation approach to IT infrastructure, but they should not be the first line of defense.

ISO certification is a useful way to quantify risk management, but is not a substitute for risk management itself. By adopting the “new normal” through electronic configuration control systems, static-code analysis, CI/CD, and frequent disaster recovery testing, we can better avoid the moment when we are separated from our critical assets and unable to act quickly because we have nowhere to begin.

Although ISO certification is not the same thing as a “business continuity plan” or any other kind of plan — and, technically, the organization’s ongoing provision of a product or service is the only way to meet the international consensus standard — it does provide a quantifiable means to track an organization’s risk in a way that can be independently verified across an enterprise via ISO’s internal audits.

While ISO certification may not significantly reduce the costs and risks that an organization faces in the face of its changing sense of business continuity, it can form the basis of an ongoing risk mitigation strategy and help bring clarity to an organization’s most important questions:

  • How much do we value our IT assets?
  • How much do we value the reliability of our product or service?
  • What is our organization’s business continuity plan?
  • How does ISO certification fit into our plan?
  • How much risk are we willing to take?

ISO is a philosophy and a process and not a destination. As information security risks grow, so too does the need for leadership. ISO certification is a useful tool in quantifying risk management, but it is only part of the equation for success against the “new normal.” Risk management is changing the way we do business, and ISO certification should change how we report on that change.

Leave a Reply

Your email address will not be published.