Frequently Asked Questions about Information Security

Question:  When did Central 1 Credit Union obtain the ISO/IEC 27001 certification?
Answer:  In February 2008, just 10 months after formally launching its effort.

Question:  Why did Central 1 choose to pursue ISO/IEC 27001 certification? What advantages did Central 1 anticipate as a result of obtaining this rigorous certification?
Answer:  The key reason was to optimize our business processes. We receive a lot of requests for external audits from our business partners who need the ability to audit our information security controls. Handling these audits, one-by-one, is expensive. Central 1 decided that it would be more cost-effective to certify to an accepted standard and provide that to our partners as evidence of a robust Information Security Management System.

Question:  Why did Central 1 choose ISO/IEC 27001 instead of SAS 70 or another ISO certification?
Answer:  We chose to pursue the most recognizable and credible certification. The ISO/IEC 27001 is an internationally recognized standard and is superior to all others. Most other security frameworks and standards (e.g. SAS 70s and CISA 70s) are based on principles found within the ISO standard.

Question:  What are some of the operational and competitive advantages of certification?
Answer:  From an operational perspective, one of the biggest benefits is that ISO/IEC 27001 focuses on compliance with a management system that has the ability to influence all areas of an organization. It’s a much more productive way of managing security because it calls for being proactive and risk-focused and it is also more people-centric that simply following control checklists. In selling to financial institutions across Canada, Central 1 has found that certification to the ISO/IEC 27001 standard to be a competitive advantage. In fact, we are the only online banking service provider in Canada to earn the accreditation.

Question:  What have been the results of achieving the certification?
Answer:  Central 1 receives inquiries about compliance to other security frameworks. Our compliance certification to the ISO standard usually addresses these inquiries. Ultimately, certification provides external validation that we meet a rigorous information security standard and it provides assurance to our partners that they can conduct their business here with confidence.

Question:  Who can audit an organization for ISO/IEC 27001 compliance?
Answer:  Only someone who’s been trained and certified as an ISO/IEC 27001 Lead Auditor.

Question:  What certification requirements does the auditing organization enforce to ensure the business has conformed to the ISO/IEC 27001 Information Security Management Framework?
Answer:  There are two primary requirements/components that must be in place:

  1. The Information Security Management System contains 17 mandatory controls; and if these basic controls are not in place, the auditors will identify a major non-conformity. Without immediate remediation, this is sufficient reason to revoke certification.
  2. There are an additional 133 controls listed within “Annex A” of the standard — the measurement against which the auditors evaluate us and upon which forms our control framework.

Question:  How does an ISO auditor determine controls and their implementation for a system that is in place?
Answer:  The Stage 1 Audit is a paper walk-though of the program and a conformity matrix (i.e. Statement of Applicability) to prove that the ISMS is in place. At the end of the Stage 1 Audit, the auditor determines if there is enough evidence to proceed to the Stage 2 Audit. The Stage 2 Audit builds on Stage 1, but requires the auditor to interview all the managers responsible for each control, beginning with the Corporate Information Security Office. The auditor must validate the evidence from the Stage 1 Audit by observing actual evidence of conformity. As part of our ISMS program at Central 1, we have also integrated the OCTAVE and OWASP Threat-Risk Assessment methods into our Enterprise Risk Management framework. We also conduct regular privacy impact assessments and follow COBiT self-control assessment practices. The results of these assessments are reviewed with the ISMS Management Review Committee, a governance body comprised of the Central 1 leaders responsible for each business portfolio.

Question:  How does the certification guarantee that controls and practices are in place and maturing?
Answer:  The Statement of Applicability (SoA) is a controlled document that lists all of the controls in use at Central 1 and is updated as new controls are required. The SoA is one of the 17 mandatory controls previously mentioned. Another mandatory requirement that ensures maturing control environments is the Continuous Improvement Program, which demands corrective and preventative action plans.

Question:  Is it possible to have control gaps and still receive certification, as long as the auditor sees evidence that there is a plan in place to implement those controls?
Answer:  If the control gaps reference those listed in the ISO/IEC 27001 ISMS or “Annex A,” then an organization’s continued certification is at risk. At Central 1, we reviewed and agreed to use all controls from “Annex A” — a choice that has now been independently verified on a regular basis by external auditors, internal auditors and our security testing providers.

Question:  Where can I go to get more information about the ISO/IEC 27001 standard?
Answer:  A copy of the ISO/IEC 27001 standard can be purchased from the International Organization for Standardization. There are also several Internet resources, including Wikipedia.