Wednesday, April 9, 2008

Business Benefits of ISO 27001 Certification

We first met Mark Bernard last fall. The Security & Privacy Officer at Credit Union Central of British Columbia, Mark discussed risk management and ISO 27001 Certification

Today, Mark's credit union is the first financial institution to achieve ISO 27001 certification. Read this interview for his insights on:

  • What it means to be ISO 27001 certified;
  • How the institution has changed as a result;
  • Potential payoffs for your institution if you follow this same path.
TOM FIELD: Hi, this is Tom Field with Information Security Media Group. I'm talking today with Mark Bernard, Security and Privacy Officer with Credit Union Central in British Columbia. You may recall him talking to us earlier last year about his institution's work in the ISO 27001 Certification. Mark is here today to tell that this institution has completed that certification. Mark, thanks for joining me today.

MARK BERNARD: My pleasure, Tom, and thanks for having me drop in and visit.

FIELD: Mark, what does this achievement really mean for your credit union?

BERNARD: Well, the credential is widely accepted within our industry, both here in North America and in Europe, and it's a way of our credit union being to demonstrate to the other credit unions and our other financial institutional clients the level of security that we've applied here at Credit Union Circle.

FIELD: How would you say that your institution has changed as a result of this 10-month process that you've gone through?

BERNARD: Well, I think that the big thing that has changed is the level of awareness, certainly within the various departments that we have here, and the credit union system has gone up substantially. People now recognize the value of, or they are realizing the value of having an information security credential such as this, and it is helping us to identify information security issues and address them more effectively.

FIELD: Mark, what would you say is the big payoff for the institution for having achieved this certification?

BERNARD: I think there are many different payoffs. There is an economical payoff by simply reducing the number of. I guess, external consulting engagements that are necessary, which are costing hundreds of thousands of dollars. And now we have a bonafide external audit group that comes by twice a year to monitor our activity and provide a list of opportunities for improvement. So it has benefited us economically, and I think as an organization in general, the culture has benefited as well. It's more focused on information security now and the identification of assets and how we treat assets and how we treat the threats and the risk, and the vulnerability associated to those assets. So, it's been very positive actually.

FIELD: Now how about for your members; what if anything will they notice from the changes that you've undergone?

BERNARD: It's really designed to be a measurement; the process is a measurement of the performance of practices and identification of opportunities to improve those practices. So, the membership doesn't immediately see anything substantial. Although, the members that I have come into contact with and spoken to are extremely impressed with the amount of due diligence that we've applied to our information security practices, and feel a higher extent or level of trust fort he information that they've entrusted to us.

FIELD: Well, that makes sense, and of course trust is the most fundamental currency you have with your members.

BERNARD: Yes, absolutely.

FIELD: Mark, what would you say are your biggest sort of lessons learned from this whole experience you've been through?

BERNARD: I think taking a very -- one of the most important things is taking a very sort of pragmatic approach. Identifying the culture within the organization and not be sort of, the implementation activities and integration activities around that culture. Providing ample room for for people to adjust to change is important. As well as giving them an opportunity to learn and understand what information security means. These are all very crucial components.

FIELD: Now, have you heard from other financial institutions that have been sort of on the sidelines watching what you've been going through?

BERNARD: Absolutely. Two of our biggest partners here in British Columbia have acknowledged the fact that they're very impressed with the work that we've done. And now they are actually considering becoming ISO 27000 certified themselves.

FIELD: O.K., for those that are sort of watching and waiting and thinking about maybe dipping their feet in, what advice would you give to them if they are considering the same move?

BERNARD: Well, again, I think paying attention to the culture is probably the most important part to avoid any disruption to the current organization. There are many, speaking of the organization, there are likely very many things that are already being accomplished within the ISO framework that just need to be pulled together in a way that can be recognized and reported and documented. So, it's not going to likely create a lot of disruption, but there will be a difference, and it will be a positive difference.

FIELD: You know, it occurs to me, you bring a team together for a project like this that there must be sort of a team culture that remains that you can sort of channel into other areas in the business?

BERNARD: Absolutely, and that's a very good point, because after becoming ISO certified and after getting the information management system institutionalized if you like ... you have this framework in place where you audit conformity to controls and evaluate the need to accept, reject or transfer that risk and as well monitor the change within the organization. So that framework exists, and because of that framework now in existence we are looking at other standards such as the BS 25999, which is Business Continuity Standard, and integrating those controls within the ISMS.

FIELD: Excellent, so there is always another big project on the horizon?

BERNARD: Yes, and the ISO framework provides many of opportunities for improvement and to draw new sets of controls and to manage those more effectively likely than they have been in the past.

FIELD: Well, Mark, next time we talk, we may have to get you come in here for a longer session to show us how it is all done.


FIELD: Mark Bernard, I appreciate your time and your insights today. Congratulations to you and good luck with your future endeavors.

BERNARD: I appreciate the opportunity to speak you and all the members.

FIELD: We've been talking with Mark Bernard of Credit Union Central in British Columbia. For Information Security Media Group, I'm Tom Field. Thank you very much.



Pete said...

It would be prudent for your readers to fully understand the limited scope of Mr. Bernard's ISO achievement. It would certainly give a more full context to the relatively short period of time it took to implement.

forfin said...

Nice article :)

if you want to find more information about Information Security Management System I recommend ISMS GUIDE

ISO 27001 Certification said...

The ISO 27001 Certification Lead Auditor certification consists of a professional certification for auditors specializing in information security management systems based on the ISO/IEC 27001 standard and ISO/IEC 19011. This certification is provided by accredited certification bodies or unaccredited ones. Accredited means having gone through an accreditation process via a national accreditation body such as American National Standards Institute.