ISO 27001 and competitive advantage

I sat in, a few days ago, on a client interview with a network services provider. They were looking to finalise their choice of a company to support their substantial small network, of about 500 PCs. The provider’s offering was based on a primarily offsite, remote monitoring and response service; clearly, they expected to patch directly into the servers in our client’s data centre.
So I asked them to tell us a bit about how they managed information security. They have very good firewalls and anti-everything software, they told me, and they were very secure. ‘That’s cool,’ says I, ‘but I’m interested in your overall management system. Are you, for instance, cerficated against any international standards for information security management?’
There was a short silence.
Then their senior manager present said: ‘Sure, although I don’t remember specifically which. BS15000, or something, I think.’
‘Hmm,’ says I, ‘ BS15000 is the now withdrawn British Standard for IT Service Management. It does have an information security aspect to it, but it’s not an information security management standard per se.’
‘Oh, it is,’ says he.
‘Well,’ says I, ‘ can I suggest that you check, when you get back to the office, as to what standard you’re certificated against, whether or not your certification is still valid, and what the scope of the standard is?’
We got a telephone call from them today.
‘It is actually BS7799-2. We’re about to re-certificate to the international version of the standard, ISO27001. It is about IT Security, as I said, and the scope of the system is the Head Office IT services.
‘So your network service centre is outside the scope of your Information Security Management System, is it?’
‘Um, it appears that way, but our security is still very good.’
I explained that our client was in the process of implementing a management system that would meet the requirements of the standard and that ISO27001 certification was therefore a pre-requisite for any suppliers seeking remote access privileges.
He rang off.
So I didn’t need to tell him that our client had decided, immediately after the meeting, that there would be little point in further considering a supplier who so clearly couldn’t respond to such an obvious security c0ncern from a potential client.
Just one example of how ISO 27001 certification – with an appropriate scope – could have helped a client win a substantial new contract – although they would have had to ensure their new business teams knew what was going on!