More and more prototyping companies who routinely work for large companies have gotten certified to ISO 27001:2013 (*). If you have been scratching your head about what this standard about information security management entails and what it means for you, let me try and help clarify this topic.
Here are three aspects that you probably want to check:
1. Are your main concerns really covered?
First, many companies are ISO 27001 certified, but the way they implemented their management system is quite meaningless when it comes to your concerns.
Let’s look at the 3 main purposes of an information security management system (ISMS). You need to make sure the focus of your supplier’s system is aligned with the highest risks you have identified on your side.
- Confidentiality of the data – that is usually the main concern of companies developing a new product. Their design files, BOM, and prototypes should not be seen by anybody outside of the project team. And nobody from the project team should use that information to compete with the company. This is also front of mind for many established businesses that have a strong R&D advance over their competitors in countries such as China. They are afraid of hackers penetrating their IT systems and copying the content of some of their databases.
- Integrity of the data – you want, of course, the data to remain usable, well organized, etc. Some of the good practices are rather obvious if you already have a document control process – e.g. use a good template for the BOM, label each version of each document with v1.10, v1.1, etc.
- Availability of the data – when the information is needed, authorized personnel should be able to access it. Some malicious hacks or malware can make that impossible.
2. Are the security objectives relevant to your needs?
Let’s say you are, above all, concerned by the confidentiality of your product designs. You need to make sure your supplier is paying attention to that topic.
Some relevant objectives, which must be tracked and compared to a target at least once a year, would be, for instance:
- No critical issues, and no more than 1 major issue, revealed by a quarterly penetration audit.
- No employee can see sensitive files and then leave without having signed all the required agreements.
- No fire accident (which might destroy your prototypes/PP samples).
Some not-very-relevant objectives would be:
- Over 99% uptime of the website.
- Few non-conformities on an audit related to data availability.
3. Anything scary in the SoA?
And finally, a very important document to look at, to assess how strong information security is in a company in relation to your topic of interest: the Statement of Applicability (SoA).
ISO 27001 requires the company to define the scope of the information security management system. It is a list of documents and their related controls, basically.
The implication here is clear. The company getting certified can indicate that it doesn’t want some of its documents & processes to be controlled for security.
This should be related to a risk analysis and to the main goals pursued. And there should be a justification for omitting certain controls.
I would still review it, as the certification body’s auditors may not look at it from the same angle as you. If, for example, the controls related to supplier relationships are omitted, but you know that firmware coding or tooling fabrication is subcontracted, the whole system is meaningless!
To sum up, don’t take this type of certification at face value. Ask for more information.
And most importantly, to prevent leakage and/or your supplier competing with you it’s usual to follow these guidelines:
- Limit the number of parties who can see your whole product concept.
- Sign the right types of legally enforceable agreements with anybody who can see your product design.
- Don’t work with companies that can be tempted to sell your product behind your back – I touched on this in The Danger of Developing your Custom Product with an ODM Factory.
(*) Yes, 2013 is the publication year of the most recent version of that standard. I’d think new concerns have emerged since then in this field, but apparently not. They are working on a few adjustments, but not on a new version.