Achieving ISO 27001, a peasant’s view
A few years ago , some heavy-weight customer came up with a precondition on some contract , thus we paid some hefty amount to acquire(more like .. buy) a ISO 27001 certificate. As some of you would already know , It’s roughly about “… an Information Security Management System (ISMS) … through which the organisation identifies, analyses and addresses its information risks”. Well.. The process was ridiculous and theatrical.
Some well-clad good man came up to the office and talked to our superiors for about an hour. And then the next day , our superiors talked to us , in the form of reading from an A4 and giggling and giving each other side looks about our everyday violations of all that we were thereby swearing an oath to uphold. Nobody ever checked if we comply with anything at all . And after a few days , we achieved our ISO 27001 certification. We didn’t even need to fake it !
- There were still passwords on papers and post-its on desks
- There was never ever (and never ever has been) an audit on IT staff
- We still have many workstations that are kept running even when there’s no one working on them and these workstations are (if) protected by one word passwords and some of them has “root access” to each and every server in our infrastructure
- We still have no Authorisation or Access Log of any form , on any element of infrastructure
- We still have almost zero segmentation on our network
- We still use and share same passwords on infrastructure and even 3rd party services, for several years, and almost every former employee have the knowledge
Eventually, we got the certificate and we did get the job. Everyone’s happy , Ignorance is bliss. Is this all about being in the East of Europe ? I’m not so sure.
late note : If you’re intrigued, I must suggest you this awesome discussion of ISO 9000 , from 1998.
