Often – far too often – people say to me: “We’re doing BS 7799 but we’re not going for BS 7799 certification – we’re just going to pick and choose what we need from the standard. After all, it’s just a badge on the wall, and we don’t really need another one of those.”
Rubbish.
There are two good reasons for certification. 1: Management are more likely to focus on effective implementation if they are signed up to certification as a key challenge – we all know that information security change programmes that don’t have management’s full support are usually doomed to failure and 2: certification keeps everyone honest – when you know there’s someone coming from outside on a regular basis to take a hard objective look at your management system, there’s no room for the “we’re not quite going to apply those criteria” back-sliding to take place.
If an organisation is going to the trouble of designing and implementing an ISMS to systematically reflect best practice, then you might as well reflect best practice – which includes achieving certification. After all, if your reputation depends on secure information, you really should secure it – shouldn’t you?