More and more companies and governments have started to require suppliers to be ISO27001 certified. This can be a great push for more data security awareness, but there are downsides to it as well. As an organization, always ask yourself the question of what you want to accomplish before you come up with such a requirement. It might not always lead to the desired result, and could mainly affect costs.
Being an online platform ourselves, data security is in every fiber of our organization. We take all kinds of measures to secure the data we process for our customers. As more and more companies are starting to make ISO27001 certification part of the vendor assessment, the interest in this standard starts to grow. The vendors will need to take a number of measures to secure the data they process. This will improve the awareness of data protection and will also make people more aware of how to do this properly. Another great benefit is that these companies will become more aware of all the information they process, and what the implications can be when something goes wrong. Thanks to this, these companies will take data protection much more seriously. Hence, somehow making data protecting part of the vetting process of suppliers is a pretty good idea.
The downsides are mainly in the forced nature of this approach. In the same way as other certificates in the past, we introduce the risk of the ISO27001 certificate being just a box to check. When we reach this point, the ISMS will become just another yearly check a company needs to pass. This can seriously affect the status of the ISO27001 certificate of every organization globally. Furthermore, when more companies hold ISO27001 certificates without really taking it seriously, more of these companies will leak data. When more certified companies leak data, the value of the certificate will diminish significantly.
Yes, data protection is important in every market segment and should be taken seriously. However, making the ISO27001 certificate just a box to check during the vetting process could have some bad effects on the ISO27001 as a whole. Secondly, it will lead to a false sense of security because the fact that a company is certified doesn’t mean there is a real focus on data security. When the organization decides that ISO27001 becomes compulsory for vendors, always check the ISMS and not just the certificate.