IT Governance Blog on IT governance, risk management, compliance and information security.

There are some things that make me grind my teeth with despair. People who seem to think that everyone in the train carriage will appreciate the music on their phone, for example, or the grammar checking function on my word processor that’s convinced it knows better than I do. Oh, and companies that trade on the reputation of international standards, without actually complying with them. I admit, that last one’s probably a bit more specific to me than the other two.

In my particular field (information security) the international standard is ISO/IEC 27001:2005. There are lots of good reasons to comply with this standard, which are well documented elsewhere on the IT Governance website and in this great little pack of books on the subject. For the purposes of this post let’s just say that if you need to keep your company information present, correct and secure, ISO27001 is the standard you want. Organisations do want it, too, in their thousands, and they look for help in implementing it.

To accommodate this need, companies like IT Governance invest vast amounts of money in continuously training and updating people like me, to ensure that the clients we service get to the point where they can be audited, by an accredited third party audit body, in a timely, efficient and above all effective manner. We don’t just want our clients to have a certificate on the wall: We actually want them to have a robust security environment so that their, and subsequently our, business operation and reputation is maintained. That’s why we don’t issue certificates ourselves, because it would be unprofessional and, in my opinion, unethical.

Unfortunately, some companies do issue their own certificates. They advertise ISO27001 compliance services, and then once the invoice has been paid by the customer and they’ve spent a couple of days on site, they print off a certificate. Let’s take a second to consider this approach in the context of the wider world: I have not certified myself to drive and then printed my own driving licence. I had to pass an examination to be allowed to drive, which was endorsed by a qualified third party. My doctor has not certified himself to practice medicine. I know this because, if he had, there’s a good chance I’d now be dead. He had to pass quite a few exams, and continues to do so. The same can be said of airline pilots, bus drivers, firemen, accountants… the list goes on.

So why, when they are attempting to create a secure and efficient environment for their business, their livelihood, would anyone wish to engage the services of an organisation that certifies its own work?

Would you?

Find out how IT Governance Consultancy services could help you today.