Digital Management Inc. (DMI), a Maryland-based NASA and defense IT contractor, was hit with a massive breach of sensitive government data, and is currently being extorted by the hacker collective known as DoppelPaymer. The hackers published a portion of the information they obtained from DMI servers, which included files from NASA and a trove of DMI’s own information. They have since encrypted DMI’s servers, and will not release them unless a ransom is paid.
At the same time, however, DMI holds ISO 27001 certification issued by the ANAB-accredited registrar SRI. In a press release published in 2011 announcing its certification, DMI clearly tied the certification to its ability to protect such data:
Formal certification of DMI’s information security procedures offers further assurance that DMI can be counted on to safeguard its clients’ most critical information.
Later, in 2014, DMI’s Beth Leonard wrote:
Our customers trust us to reliably and securely manage their most vital information assets. Earning the ISO 27001:2005 certification is a rigorous process that offers our customers further assurance that we can be counted on to safeguard their most critical information resources, as we deliver our second-to-none enterprise mobility solutions and services.
Leonard’s LinkedIn profile credits her with implementing ISO 27001 for DMI, although she no longer works at the company. That profile boasted that her work to implement an integrated management system at DMI was “a first in the industry” and that DMI received “zero nonconformances” from SRI during its audits. After leaving DMI, Leonard went on to become a promoter of ISO’s “risk-based thinking.”
The same press release included a quote from registrar SRI’s Vice President, A. Joseph Falcsik:
We are pleased to acknowledge that DMI has demonstrated effective implementation of a management system. ISO/IEC 27001 certification provides evidence to customers, suppliers, employees and their community of their commitment to information security and customer satisfaction.
DMI is an ISO industry darling, having attended at least one International ISO 9000 Conference. In 2013, DMI gave a discussion on its ISO 9001 certification — also issued by SRI — and its “innovative management review process.”
DMI also holds SRI certification to ISO 20000-1, a standard designed for IT service management systems.
SRI’s website then boasts of the confidence its ANAB accreditation provides:
Accreditation by a recognized body, such as ANAB … ensures the impartiality and competence of the certification body and fosters confidence and acceptance by end users in the public and private sectors of a certification body’s certifications.
In 2019, PCM Technology Solutions was hit with a cyberattack while holding ISO 27001 certification from the UKAS accredited registrar ACS Registrars.
A 2018 breach of the credit reporting agency Equifax affected over 400 million consumers, one of the largest in history, even as the company held ISO 27001 certification from EY Certifypoint, a division of Ernst & Young. EY Certifypoint is accredited by the Dutch accreditation body, RvA. It was later discovered that Ernst & Young’s financial auditing division had also audited its IT systems, but reported nothing.
All three of the accreditation bodies involved — ANAB, UKAS and RvA — are signatories of the International Accreditation Forum, whose role is to ensure the trust and interoperability of international accreditations.
The language on the official ISO certificates themselves and that published by ISO and the various certification bodies is often at odds with reality. The bodies typically explain away such disparities by insisting that ISO certification is “not a guarantee” of anything, despite what appears on the certificate.
Representatives from SRI and DMI did not immediately respond to requests for comment.