Last year I worked on a project group with ENISA (the European Network and Information Security Agency) that studied the whole area of certification schemes within the information security industry. The group looked at the different schemes focuses at personal accreditation, product certification and organisational certification schemes. The merits of certification were discussed in detail and ENISA have now published their report.
The main recommendations from the report are;
- Personal accreditation schemes should be encouraged by the EU for individuals depending on their job profile, from the end user up to the Chief Security Officer.
- Companies should look at independent schemes to measure and certify their Information Security Management Systems against.
In the report, ENISA also suggests an “ISO 27001 lite” should be developed for SMEs. I have to say I disagree with this as I believe ISO 27001 can be made to fit organisations of any size. What we need to do is make the understanding and adoption of the standard easier for SMEs. When you mention ISO accreditation, or indeed any ISO accreditation, to an SME they immediately think of the cost of hiring expensive consultants to roll it out. So what we need is an interpretation guide for the SME rather than a new and separate standard like “ISO 27001 lite”.
The full report. is available on ENISA‘s website. If you look in the reference section you will see they refer this blog and my post, which was developed as the result of the workshop in November ’07, listing the various information security certification schemes that are available.