Merits and demerits of certification
The decision to pursue ISO/IEC 27001 certification involves both advantages and challenges. Based on over 30 years of experience in certification and standards development, the following points outline some of the key benefits and concerns commonly encountered. This summary is intended to provide general insight and does not represent an exhaustive list..
| Item | Benefits | Concerns |
|---|---|---|
| 1 | Independent Perspective: A third-party assessment offers a fresh view of risks and omissions within your management system. | Auditor Variability: Interpretation and technical depth can vary. Some auditors lack practical IT expertise, while others may not possess up-to-date technical skills, resulting in inconsistent audit quality between auditors. Auditor rotation can also create continuity issues for clients. |
| 2 | Auditor Expertise: Auditors are general specialists in ISO principles and can provide structured insight based on broad experience. | Superficial Audits: Auditors may claim specialist knowledge without hands-on experience, leading to limited verification of system controls and a false sense of security for clients. This can result in “soft grading.” |
| 3 | Defined Competence Requirements: Certification bodies (CBs) operate under ISO/IEC 27006, which specifies minimum competence, experience, education, and sector-specific knowledge requirements for ISO/IEC 27001 auditors. | Reduced Competence Standards: The revision of ISO/IEC 27006 unexpectedly lowered certain auditor competence requirements, increasing potential inconsistencies in audit depth and integrity. |
| 4 | Ongoing Competence Maintenance: CBs are required to provide training and maintain the skills and knowledge of their auditors to ensure consistent and effective audits. | Outsourcing and Impartiality Risks: To reduce costs, many CBs now use hybrid or fully outsourced auditor resource models. This can erode impartiality, create conflicts of interest with consultancy firms, and reduce oversight of audit integrity. Accreditation bodies rarely raise nonconformities on impartiality, allowing these risks to flourish. |
| 5 | Auditor Coverage: Flexible resourcing models enable auditor coverage that meets most client scheduling needs, regardless of geographical location. | Aging Auditor Demographics: Many auditors are semi-retired or of senior age, and their technical knowledge may not be maintained sufficiently |
| 6 | Standardised Risk Evaluation: Risk assessment and countermeasure evaluations typically follow recognised models such as ISO/IEC 27005, providing a consistent approach. | Generic Risk Models: Many organisations and consultants rely on simplified templates derived from ISO/IEC 31010 and 27005, often replicated without adaptation. This limits scope and depth, and may leave important risks unaddressed |
| 7 | Asset-Based Approach: Although not mandated, the standard’s process orientation supports an asset-based method for risk assessment, linking assets directly to information risks. | Incomplete Asset Coverage: Key or dependent assets—such as infrastructure, hardware, or external services—are sometimes overlooked, causing generic risks to be applied instead of meaningful, specific evaluations. |
| 8 | Structured Threat and Vulnerability Review: Threat and vulnerability assessments are based on standardised approaches, helping ensure comprehensive coverage. | Limited Threat Horizon Awareness: In some regions, particularly where cybercrime is relatively low, awareness of threats and vulnerabilities can be limited, leading to incomplete or inadequate analyses. |
| 9 | Process-Driven Flexibility: A process-based approach allows event-driven or process-specific risk assessments to be integrated into ongoing management activities. | Process Mapping Skill Gaps: Non-manufacturing or administrative organisations often lack process mapping understanding, making it difficult to identify event-based or process-specific risks effectively. |
| 10 | Continual Improvement: Certification promotes continual risk reduction through regular reviews, improvement actions, and accountability. | Paperwork Mentality: Certification efforts may become a documentation exercise if not embedded into management behaviour. Increasing reliance on “ISO software” can also result in superficial compliance if inputs are poor. |
| 11 | Structured Standards: ISO standards are designed with a logical, consistent format that promotes alignment and comparability across management systems. | Ambiguities in Standard Wording: Some clauses are poorly written or translated, requiring interpretation through IAF MD documents. Linguistic inaccuracies by non-native English-speaking committee members can cause misunderstandings when translated. |
| 12 | Integrated Audits: Combining multiple management systems into a single audit can reduce duplication and save costs. | Integrated Audit Trade-Offs: While integrated audits save costs, auditors with multiple qualifications may lack sufficient depth in each area, leading to surface-level findings. |
Why (and When) to Get Certified
Certification is most effective when an organisation already has defined processes and a strong leadership commitment to information security improvement. It can open access to new markets, strengthen customer confidence, and build long-term operational resilience.
Things to Consider with ISO Certification
Before pursuing certification, consider whether your primary objectives are to improve internal management, meet customer information-security requirements, or enhance trust and credibility. Each goal influences how your Information Security Management System (ISMS) is implemented and maintained.
Final Thoughts
While ISO certification can provide structure, credibility, and assurance, the evolving landscape of the industry has raised concerns about the consistency of expertise and impartiality within certification processes. For some organisations, it may be more practical to purchase and implement the standards internally, then pursue second-party validation instead of full third-party certification. This approach can be more cost-effective and less disruptive to daily operations, particularly when supported by modern technology and remote auditing and assessment techniques.