Are All 27000-1 Certifications Created Equal?

Say you have to outsource the storage of your corporate data.

Say you have to assess the quality of a couple of (apparently) both “good looking” potential suppliers that give you both access housing/cloud services.

Say both of them are “ISO 27000-1 Certified”.

Which are you going to choose?

Answer: ask to see the “perimeter” that has been certified.

In other words: advertising on the corporate website or wherever else that a company is “ISO 27000-1 compliant” doesn’t always means that the WHOLE company actually is.

Maybe the certification has been obtained for the data-centre only, or just for a small part of the infrastructure, or – say – for the financial departement.

Thus, a fair use of the “label” would be a statement like this: “we are ISO 27000-1 certified for X,Y,Z” instead of a simpler (and deceptive) “we’ve got the ISO 27000-1”.

Next time, ask first.