ISO 27001:2005 certification: Why should risk and insurance managers care that their providers achieve it?

Just today, we announced external certification of ISO 27001:2005 compliance. This certification is the latest in a decade-long series of third-party, audit-based accreditations we have sought and attained at Aon eSolutions. I encourage you to read our press release for more information. 

Why is this an important point for risk and insurance managers and the information technology, audit, compliance and security teams they work with? The short answer, which I’ll develop more fully in this post, is that many of the high-profile data breaches you read about in the news are caused not by external hackers, but rather by broken business processes and lack of policies and procedures. Certification of ISO 27001:2005 assures Aon eSolutions customers that our business processes and polices include the components of this strong and robust standard. 

The prominent role of broken processes, policies and procedures in data breaches may come as a surprise to many of you reading this blog post; however, it’s a point supported by research like that released last summer by Symantec and the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy. 

So, what do we mean by “broken business processes” and “lack of policies and procedures,” both in the general sense and as they relate to risk, insurance and safety managers? It’s a valid question for anyone in the risk management community. First and foremost, it's all about managing risks—as everyone in our industry knows. 

Let’s look at some “risk realities” I believe crucial to a company today. 

Risk Reality #1: Companies today are outsourcing, which brings reward and risk. 

The decade long trend toward outsourcing has enabled companies to take advantage of partnerships that reduce cost, improve service and expand functionality. 

At the same time, when a company brings outside vendors and/or partners into the business, it creates risks. These risks span performance, availability—and data security and privacy, all the way to a potential data breach.

The business must be able to effectively and accurately assess the risk and consider risk management in the vendor/partner selection process. No vendors are alike, which is especially true in the market for business solutions and services provided by a hosted, or cloud-based, partner. But to effectively assess the risk, a company must understand the architecture and design of the solutions they are considering. And as you add vendors to the solutions architecture, you are at greater risk of data exposure/breach, based solely on the number of providers who make up the solution you ultimately use.

Risk Reality #2: With a cloud environment, we can't audit the way we once did.

Years ago, before shared infrastructure solutions like software as a service (SaaS), application service providers created dedicated technology environments for each client. If a company needed to perform an audit, they could do so, as the systems were specific to each client. Today’s model of a cloud/shared infrastructure makes it impossible for clients to perform individual audits, as they could expose other clients’ data. This leaves us in an uncomfortable position and potentially accepting risk that has not even been identified. I will discuss how third-party certifications like the ISO27001:2005 help with this risk later.

Risk Reality #3: Risks are too great to be unprotected.

On the one hand, utilizing vendors/partners that store and/or process our data makes good business/financial sense. On the other, the cost of data breaches, even for midsize organizations, can easily cost in the multi-million dollar range. 

So, how can an organization place confidence in effective risk mitigation for a partner that they cannot fully audit themselves? Phone calls with the vendor’s security or IT teams don't provide any actual evidence. Completed security questionnaires fall short because detailed internal and sensitive information cannot be shared externally. 

The best solution is a third-party audit that results in certifications, accreditations or an independent report. The ISO27001:2005 is the certification that the most prominent global organizations obtain to demonstrate their security and controls. Microsoft Office 365 and Google Apps are examples of the class of organizations that hold this certification. 

One caution: an ISO27001:2005 certification for one organization may not be the same thing for others. The actual scope of the certification must be understood and considered to ensure full use of the standard on the entire set of business process and technologies provided by the partner. If the certification is specific to a part of the products or services that have been outsourced by your partner to yet another vendor, it may cover only a fraction of what needs to be covered. You must take the steps to ensure a combination of different certifications provides complete coverage—if that's even possible. 

Aon eSolutions’ full ISO27001:2005 certification is in place for the entire hosted environment and all processes and procedures in Aon eSolutions’ information security management system. This level of certification provides prospects and clients the most comprehensive security program and controls review possible in our industry.

ISO 27001:2005 certification, especially when grouped with our existing URAC HIPAA Security accreditation, demonstrates that from the perspective of risk mitigation and data security, Aon eSolutions provides the highest level of protection to our clients and their data. Being certified by an internationally recognized accrediting body like BSI Group offers customers the assurance that data security is built in to all aspects of our business, from strategic planning to day-to-day operations.

David Black is chief information security officer for Aon eSolutions. David is based out of the Atlanta Aon eSolutions office. Email David at David.Black@aon.com.