Tricky: The Scope of Compliance Certifications

Compliance

The need to be compliant to this or that is one of the rare principles that are relatively easy to sell to the board.

Confusion, however, usually kicks in as soon as the scope of the compliance has to be decided on.  By that, I do not mean the scope of the compliance criteria but the scope of WHAT is subject to the compliance.

Take for example ISO 27001: What is (or probably was by its creators) supposed to be a strength of ISO 27001  – the capability to tailor the Information Security Management System approach described in the standard to different organizational scopes and different organizational (management) boundaries – seems to result in at least one drawback: How to trust an ISO 27001 certification, when what is actually certified is not the organization but might also be just a piece of a part of a section of an IT departments services or operations ? It is always a good idea to have a rather close look at what exactly the certification was actually issued for, what the actual scope of the certification and  the scope of compliance is (Not that long ago I could witness how it took many meeting hours and  even more emails to get an agreement about the scope of an ISO 27001 certification).

Take PCI-DSS. the Payment Card Industry Data Security Standard. One of its requirements: vendor patches released more than one month prior, are applied to all machines in the scope of compliance.

Take  COBIT , it is relatively clear about it’s scope of application: the IT organization.  I say relatively because in real life we see that it is not that unusual that there is no such a thing as one single (and by single I mean centrally managed and governed) IT organization.

Take SSE-CMM, the Systems Security Engineering Capability Maturity Model.  The obscure object of desire of SSE-CMM (the scope it applies to) is “the product” ! I remember the enthusiastic attempts of an InfoSec team (I was part of)  some years ago to define the scope of the “product” .   After just 3 brainstorming meetings on the matter: childhood friends did not speak with each other anymore, marriages got broken,  andcarrier paths ended…

Lesson learned: Pay extreme attention to the subject of the scope of compliance assessments or certifications or certification attempts. The scope definition is a really important element for both sides of the medal, whether if you assess a compliance/certification or if you want to achieve it.