How to reduce the value of the certifications (1/2)
Cesare Gallotti
Consultant in information security, Lead auditor ISO/IEC 27001, ISO 9001, ISO/IEC 20000; CISA, ITIL Expert, CBCI
The Italian version of this short article is here: https://blog.cesaregallotti.it/2021/03/come-sminuire-il-valore-delle.html.
Fabio Guasconi (from Bl4ckSwan) reported me the following news about an ISO/IEC 27037 certification: https://www.csqa.it/Sicurezza-ICT/News/Digital-Evidence-ISO-IEC-27037,-CSQA-rilascia-il-p.
This certification was given according to Italian accreditation rules set by the Italian accreditation body (i.e. the certification body CSQA did not do anything wrong and I know their audits are professional and correct).
The problem is that standards like ISO/IEC 27037 are guidelines and are not intended to be used for any kind of certification.
So, what happened? Accredia extended the idea behind standards like ISO/IEC 27017 and ISO/IEC 27018 (written for extending the controls of a statement of applicability, also in the context of an ISO/IEC 27001 certification) to standards very differently written, such as ISO/IEC 27035 and ISO/IEC 27037.
Accredia, unfortunately, did not try to regulate and improve the market (i.e. stopping the incorrect use of standards and requiring to standardization bodies to issue requirement standards for the relevant subjects), but supported the wrong ideas of... who?
Here lays the question: Why did Accredia supported this wrong approach? Lack of competence? Need to rise its incomes (but Accredia is a regulator, so should not have this kind of issues)? Weakness in front of the requests of the market? The need to remember to the entire world that Italians are very creative, mainly when we do not want to follow the rules?
This is not the first time that Accredia wants to be creative. It did it when created the accreditation rules for ISO/IEC 27701 (they will luckily substituted by ISO/IEC 27006-2) requiring ITIL competence to auditors and other funny things like that when approved a privacy certification scheme without involving all interested parties (i.e. the Italian DPA).
Unfortunately, this endanger the value of the certifications.