For the longest time, I have been a firm believer in the interaction of various IT disciplines and frameworks – spawned largely by the excellent ISO 27001 course I attended led by Steve Watkins of IT Governance.
One of those umbilical cords between Information Security and SAM was the requirement to mitigate the risk of “delivery up” (i.e. the uninstalling and returning of software to a software publisher) in the event of non-compliance to the terms and conditions by any governing contracts and/or license agreements.
But here is my question:
1. If organisations earn ISO 27001 status, surely they should be license compliant? After all, they have had their licences compared to the proof of entitlement an organisation can put their hands on to mitigate the risk of delivery up.
This spawns two further questions:
2. What are ISO 27001 certifiers and auditors doing to validate licence compliance?
3. If companies are so concerned about being vendor audit ready, why aren’t they plugging into their ISO 27001 certification as a means of corroboration of their licence position?
I wish to offer question 2 to the wider Info Sec community – as someone who operates in the SAM sphere, I just do not see that alliance between the two disciplines, so I am intrigued to know just how deep that validation goes.
As for question 3, I would be very interested to hear from end user organisations that have been through ISO 27001 certification and what extra steps (if any) had to be taken to get your IT estate “SAM safe”?