The processor agreements that customers and suppliers enter into often provide for auditing capabilities. But if, as a customer, you have to audit every supplier or, as a supplier, you are audited by every customer, you no longer get around to your actual work. Then it is convenient if an independent party performs an audit and can issue a statement about a supplier's practices. Less work for both customer and supplier. But what certifications are there, what is their value and who can provide them? In this article, I discuss both information security certification and privacy certification. I also discuss what to expect from a certified vendor.
When we talk about information security, ISO27001 quickly comes to mind. This is a standard containing requirements for an information security management system. To comply with it, everyone - from the top of the organization to the shop floor - must contribute to information security and continuously improve it. Important aspects are a risk analysis and an improvement cycle according to the Plan-Do-Check-Act principle, as it is best known from quality management. Of course, you also have to be able to demonstrate that you run through this cycle periodically.
You choose the control measures, the controls, based on a risk analysis. In doing so, you have to consider the more than one hundred security measures laid down in the standard to avoid missing them. Examples of such measures are virus scanners, a lock on the door and confidentiality agreements with employees. Most of the measures are quite logical and also necessary for the vast majority of organizations. Still, implementing these measures in a way that they can be demonstrated is a daunting task for many organizations. The measures range from the design of buildings to a confidentiality statement in employment contracts and requirements for the design of ICT. Which measures are applicable is recorded in a 'Statement of applicability'.
A certification audit can be conducted by organizations recognized by the Accreditation Council or a similar institute abroad. A certification audit looks at how it is described that the management system and measures are in place (the "set-up") and whether they are actually implemented during the audit (the "existence"). When a certification audit is successfully completed, the organization receives a certificate. This can be issued to clients along with the Statement of Applicability.
The ISO27000 standards series also has :
ISO27002 standard: This contains guidelines for implementing the measures in ISO27001. Organizations cannot be certified for this standard.
Standard ISO27017: This is an extension of security measures for organizations providing cloud services.
ISO270xx certificates have a limited term, within which the certifying body also conducts interim partial audits to remain certified. It is therefore important to request a new certificate from the supplier when the certificate expires.
Several industry-specific variants of ISO27001 have been created. For healthcare, NEN7510 has been developed, for which organizations can be certified. This differs little from ISO27001 in its latest version and is required by law for healthcare providers.
In early 2020, the government will replace the existing frameworks Baseline Information Security Government (BIR), Baseline Information Security Municipalities (BIG), Baseline Information Security Water Boards (BIWA) et cetera with the Baseline Information Security Government (BIO). It elaborates the control measures from ISO27001 and adds about 140 (mandatory) government-specific measures. Certification based on the BIO and the existing frameworks is not (yet) possible.
It is also possible, often in addition to an ISO27001 certificate, to request an auditor's opinion on the "operation" of the control measures. This is an examination that retrospectively determines whether the control measures have been consistently applied over an underlying period, usually a year, and whether they are achieving their objectives and are therefore effective. The auditor then issues a "Third Party Statement" or a "Third Party Memorandum. The best-known types are the SOC 2 and ISAE 3402 type 2. Here, ISAE 3402 focuses on the supporting (service) organization from a financial perspective. SOC 2 and ISAE 3000 are not limited to the financial processes, but ISAE 3000 is less used so far. These statements provide more assurance, but in retrospect.
For information security, certification is nothing new. For privacy, it is different. The AVG provides for certification in Article 42, but that certification cannot be obtained until the certification requirements are established and certification bodies are accredited. It remains to be seen when this will happen. Only then can organizations certify themselves.
Meanwhile, labels, certificates and seals ("seals") issued by commercial organizations are emerging. Because these are generally not under independent oversight and the criteria are often not public, the value of these statements is unclear. For a limited group of suppliers, namely cloud service providers, the ISO27018 standard offers a solution. This standard contains control measures for handling personal data. It is not based on the AVG, but many of the principles of the AVG are reflected in it, such as legitimacy, purpose specification, data minimization et cetera. Until now, mainly (very) large cloud vendors have been certified based on this standard.
All of the above certifications involve the certification of organizations, not the certification of products or services. Thus, that a service is ISO27001-certified, as is sometimes claimed, is inaccurate to say the least.
Is certification or some other third-party statement a guarantee that nothing can go wrong? No, it isn't. Not everyone always adheres to agreed-upon practices. This is no different with the supplier than with the customer. Sometimes things are also presented in an audit just a little rosier than the reality of everyday life. So it is wise not to blindly rely on a piece of paper.
Still, a certification or third-party statement does provide some assurance that the vendor has its affairs in order. At least he has been able to convince an independent third party of this - who often has more experience in assessing information security or privacy than many a customer. With that, a certification or third-party statement forms a good basis for cooperation, especially if you, as the customer, keep your eyes open and remain in conversation about security and continue to make necessary improvements. And it saves a lot of duplication of effort.
