Thoughts and musings all things people and process
When choosing a supplier that may have any access to your confidential information, it's certainly reassuring if they have ISO27001 certification. Without doubt, maintaining ISO27001 requires significant commitment. It provides reassurance that the company in question are operating a systematic framework to identify, control and mitigate risk and also that they are being audited on a regular basis against a set of best practice requirements compiled by global experts.
But there are 2 camps. Those that seek certification purely because they need the badge. A tick in the box.
And then there are those who either want or need the badge but also that fully embrace the ethos behind the standard. You can't automatically tell who is who.
Bear in mind that identified risks can be mitigated or accepted. You may well find that your risk appetite is lower than that of your potential supplier. What they think is an acceptable risk, may be something you would find inconceivable. Before you decide to take a supplier on face value of having a valid ISO27001 certificate, run through the following points with them:
So, don't just take ISO27001 as a cast iron guarantee. External assessment visits are after all just a pre-arranged sampling exercise. Ask more of your potential supplier than just a copy of their ISO27001 certificate. If they truly believe in their Information Security Management System, then they'll only be too happy to help.