Imagine the scenario: after a long process, you select a key technology partner. An offer lands on the table, with a proudly presented ISO 27001 certificate. You feel relieved – your data, processes and reputation will be in good, verified hands.
What if this certificate is just a facade, issued without a solid audit and verification? In today’s digital ecosystem, trust is currency, but its blind acceptance can lead to disaster.
What is ISO 27001 in theory?
Before we dive into the world of ‘paper tigers’, let’s recall the basics. ISO/IEC 27001 is an internationally recognised standard for Information Security Management Systems (ISMS).
In practice, it is a comprehensive recipe for how a company should methodically approach the protection of its information assets. The aim is to ensure the three pillars of security: confidentiality, so that only authorised persons have access to data; integrity, ensuring that data is accurate and complete; and availability, which ensures that authorised users have access to information when they need it.
It is crucial to understand that ISO 27001 is not a one-off IT project, but an ongoing management process, deeply embedded in the culture of the entire organisation. Being certified sends a clear signal to the market: “We take security seriously”. So much theory. Practice, however, can be much more complicated.
Real danger: Certification without accreditation
The problem arises when non-accredited certificates enter the scene. These are often quicker and cheaper to obtain, tempting many companies. However, their evidential value is close to zero.
Accreditation is a formal confirmation that the certification body itself operates in accordance with international standards and is regularly audited by independent bodies. Without this ‘protective umbrella’, the certificate becomes a mere diploma that offers no real guarantee of a sound audit.
Working with a partner with such an unverified document can mean that behind the pretty logo are superficial risk assessments that do not take into account the real risks. This often goes hand in hand with chaos in access rights, especially those with administrator rights.
What’s more, contingency plans may be outdated and backup tests irregular, which in practice is complemented by inadequate or even non-existent documentation of security processes. Such a partner becomes a weak link in the supply chain, opening a potential gateway to incidents for which you may ultimately be responsible.
Practical guide: “Check!”
The possession of a certificate by a partner does not exempt it from due diligence. Fortunately, checking its authenticity is not complicated. Verification should start by checking the certificate number in international public databases, such as the IAF CertSearch global registry.
Next, it is worth going into the details of the document itself, paying particular attention not only to the expiry date, but above all to the key element, which is the scope of the certification. You need to ensure that it covers exactly the services, processes and locations you intend to use.
A certificate for an office in Warsaw does not guarantee data security in a hosting centre in another city. Finally, do not forget to ask a simple question: “By whom is the body that issued the certificate accredited?”. Any credible company should give a clear answer without hesitation.
Trust under control is the new norm
In an era of increasing cyber threats and new regulations such as the NIS2 directive, which places great emphasis on the security of the entire supply chain, we cannot afford to be superficial.
ISO 27001 certification is a powerful tool for building trust, but only if there is a viable, verified and continuously improved process behind it. The next time a partner’s certificate is on the table, ask yourself a fundamental question: do you trust or verify? The answer could determine the security of your business.
