ISO 27001 has led the way globally as an information security standard, allowing businesses to achieve certification to "best practice" and satisfy their customers assurance requirements.
The Open Banking regulation and related Consumer Data Right (CDR) issued by the ACCC and OAIC was first implemented on 1 July 2020. The CDR has adjudicated that the leading ISO 27001 standard doesn’t cut it as a way of meeting the information security requirements for accreditation. The following excerpt explains why.
CDR Excerpt on ISO 27001
An ISO 27001 certification does not meet the information security
requirement for accreditation. ISO 27001 is a standard for implementing
an information security management system, and an ISO 27001
certification attests that the organisation uses this framework to
manage security and has certain controls in place. However the
certification does not give assurance that these controls are designed
effectively or adequately to mitigate the risk of an information
security breach or incident. Nor does an ISO certification meet the
information security requirements specified in Schedule 2 of the
Consumer Data Right Rules as it can be implemented at different
organisations in different ways and it does not require a minimum
baseline for each control.
This is a major turning point for ISO 27001 and its position as an assurance solution. Although it applies only to service providers seeking CDR accreditation, a statement like this made by leading regulatory bodies in Australia is likely to influence the broader users and their perceptions around ISO 27001. For most businesses, the goal is to find one assurance solution that satisfies all of their customers requirements, and it’s unlikely ISO 27001 will continue to be able to do that.
The CDR wasn’t the first regulation to raise questions over the adequacy of ISO 27001. The APRA CPS 234 standard implemented from July 2019, requires APRA regulated FSI’s to prove the operational effectiveness of controls protecting their information assets; including those managed by third party service providers. Although that leaves some room for interpretation, the consensus seems to be that ISO 27001 is insufficient to address these requirements.
So where does this leave ISO 27001?
ISO 27001 is likely to continue decreasing in relevance and suitability as an assurance solution. But it remains a great standard for information security. It’s broadly applicable, clearly defined and prescribed, sets a high standard of practice, and is supported by a vast network of consultants, tools and templates. For businesses implementing an information security program, it provides an effective solution with the peace of mind that it's universally recognised as good information security practices.
A shift in the way it is used as an assurance solution, may see a decrease in businesses seeking an official certification to ISO 27001. That doesn't mean it will decline in relevance as a standard for implementation of an information security management system. It complements other assurance solutions like SOC 2, that are less prescriptive on how to implement the control practices and more focused on the assurance aspect to the control practices.