Dejan Kosutic is the founder of the Information Security & Business Continuity Academy. In this interview he discusses the future of compliance, ISO 27001 documentation, audit preparation, and much more.

Many entering the information security industry wonder about the basics, so what does it mean to be compliant? What are the pros and cons of making sure you adhere to a certain standard?

If speaking about ISO 27001 (the leading international information security management standard) being compliant means that an organization has adapted its internal processes so that they protect the confidentiality, integrity and availability of their most critical information.

And this is where most misconceptions about ISO 27001 come from – first of all, information security is not all about IT, because usually the weakest link in security are the people. Firewalls and anti-virus software are necessary, but they are not enough. An organization has to figure out how to protect its information in all the other cases, and that includes someone from the inside wanting to do damage. A comprehensive approach is therefore needed, and this is what ISO 27001 defines.

Further, ISO 27001 does not prescribe which type of firewall an organization must use or how it must configure it – this is something the organization needs to define by itself, based on the potential incidents that could happen. Those potential problems are called risks, and their identification (called “risk assessment”) is the foundation of any information security management. It’s only after you find out where the risks are that can you define what kind of security controls you need, and how much you must invest.


I've seen too many times how top management, thinking that information security equals IT security, pushes this kind of project onto the IT department. But the IT department usually doesn't have the knowledge of the business side of the organization or the authority to make necessary changes, so those project often run into trouble.

Regarding pros and cons – I would say that the main benefit is that you don't have to reinvent the wheel. The standard is written by leading information (and IT) security experts, so basically you don't have to learn from your own mistakes.

The biggest negative side when it comes to the use of this standard is that it won’t work as it should if there are no business benefits to its implementation. Many companies try to implement it because someone from the middle-management thinks it's quite fancy, but they don't get the support from the top management. After a while they realize they have invested a great deal of energy into something that isn’t needed.