Should Your Marketing Department Pay For Your ISO-27001, FedRAMP, & SOC2 Certifications?
I had the opportunity to review a presentation given by one of our client’s CISO to their Senior Management Team. The presentation was focused on reporting on current security initiatives and budgeting for the following years’ initiatives.
iso-27001-fedramp-soc2-marketing
The presentation was incredibly well done and it progressed logically to a slide that really surprised me wherein he asserted that the primary value of the ISO-27001 certificate, SOC2 Report, and Penetration testing was marketing. As a long time information assurance professional my first reaction was “that’s ridiculous”. As I sat and pondered the statement and finished working my way through his slide deck I had moved to “that’s a pretty interesting perspective”.
Before you petition to revoke my CRISC CISA, & ISO-27001 Lead Auditor certifications, there’s a bit more to the presentation. His perspective on the limited risk management value of ISO-27001 & SOC2 was caveated by the fact that they have been certified 3 years and at this point they are already confident that the ISMS is operating effectively. His perspective on the limited risk management value of Penetration Testing was caveated by the fact that they run their own Vulnerability Assessments & Penetration Tests. Hence, the third party work efforts (ISO, SOC, pen tests) generally only tell them what they already know.
Where the presentation became even more interesting is when he suggested that the cost of the third party attestation be moved to the company’s marketing budget so that his security budget could focus on more risk management impacting efforts (e.g., Security Monitoring, Mobile Device Management, etc.). While I believe that his assertion that ongoing third party attestation provides little risk management value isn’t accurate (minimally, third party testing is an accountability mechanism that, when removed, would reduce the incentive to operate the ISMS), his assertion that third party attestation is great marketing is.
Hence, one could (and he did) make the argument that your marketing department should pay for your ISO-27001 and/or FedRAMP certifications!
