ISO 27001 Stamped Inadequate for Open Banking


ISO 27001 has led the way globally as an information security standard, allowing businesses to achieve certification to "best practice" and satisfy their customers assurance requirements.


The Open Banking regulation and related Consumer Data Right (CDR) issued by the ACCC and OAIC was first implemented on 1 July 2020. The CDR has adjudicated that the leading ISO 27001 standard doesn’t cut it as a way of meeting the information security requirements for accreditation. The following excerpt explains why.


CDR Excerpt on ISO 27001


An ISO 27001 certification does not meet the information security

requirement for accreditation. ISO 27001 is a standard for implementing

an information security management system, and an ISO 27001

certification attests that the organisation uses this framework to

manage security and has certain controls in place. However the

certification does not give assurance that these controls are designed

effectively or adequately to mitigate the risk of an information

security breach or incident. Nor does an ISO certification meet the

information security requirements specified in Schedule 2 of the

Consumer Data Right Rules as it can be implemented at different

organisations in different ways and it does not require a minimum

baseline for each control.


This is a major turning point for ISO 27001 and its position as an assurance solution. Although it applies only to service providers seeking CDR accreditation, a statement like this made by leading regulatory bodies in Australia is likely to influence the broader users and their perceptions around ISO 27001. For most businesses, the goal is to find one assurance solution that satisfies all of their customers requirements, and it’s unlikely ISO 27001 will continue to be able to do that.


The CDR wasn’t the first regulation to raise questions over the adequacy of ISO 27001. The APRA CPS 234 standard implemented from July 2019, requires APRA regulated FSI’s to prove the operational effectiveness of controls protecting their information assets; including those managed by third party service providers. Although that leaves some room for interpretation, the consensus seems to be that ISO 27001 is insufficient to address these requirements.


So where does this leave ISO 27001?


ISO 27001 is likely to continue decreasing in relevance and suitability as an assurance solution. But it remains a great standard for information security. It’s broadly applicable, clearly defined and prescribed, sets a high standard of practice, and is supported by a vast network of consultants, tools and templates. For businesses implementing an information security program, it provides an effective solution with the peace of mind that it's universally recognised as good information security practices.


A shift in the way it is used as an assurance solution, may see a decrease in businesses seeking an official certification to ISO 27001. That doesn't mean it will decline in relevance as a standard for implementation of an information security management system. It complements other assurance solutions like SOC 2, that are less prescriptive on how to implement the control practices and more focused on the assurance aspect to the control practices.

ISO 27001 Consumer Data Right

In a major blow to ISO 27001, the Consumer Data Right for Open Banking has ruled it insufficient for the infosec accreditation requirements.