Whether you want to reassure a board – or yourself – that your security programme is operating optimally, the ISO 27001 Information Security Standard gives you that confidence. Here are some business-focused benefits to becoming certified, and some tips for making that process run smoothly and successfully.
Choosing to get certified
First, let’s address a misconception: when it comes to certification, size doesn’t matter. It has nothing to do with how large your organisation is. It’s better to think of ISO 27001 in terms of how important you consider your organisation’s or your customers’ data. That could be business plans, financial information, intellectual property, payroll details, or credit card numbers. BH Consulting has certified a three-person company. Another SME client had just 10 employees when it obtained ISO 27001 certification. When a US multinational subsequently acquired that company, it turned out security was the easiest part of the due diligence process because of the certification.
The main reason I like to recommend ISO 27001 is because it’s an internationally recognised standard of good practices around cybersecurity. It is vendor- and technology-neutral. Being certified to ISO 27001 means you’re being verified at least once a year by an external independent body that you operate your security in the way you claim. That differentiates the standard from other self-regulated standards like NIST 800, for example.
It also helps businesses that regularly sell to larger corporates. The larger the customer, the more rigorous their supplier due diligence tends to be – and rightly so. Security questionnaires now feature regularly in many tendering processes. Third-party risk is a legitimate concern for large businesses – think of how attackers breached Target’s network through a supplier.
I have noticed a growing number of companies and public bodies looking at ISO 27001 to support compliance with GDPR. Similarly, ISO 27001 is useful for managing compliance with security frameworks such as the EU NIS directive, or HIPAA.
Cyber insurance is a hot topic right now, and I know of many companies thinking seriously about taking out policies. Some insurers are giving discounts to ISO 27001-certified companies. (Personally, I believe there’s lots of hype around cyber insurance. I think it’s better to spend the money on good defences. Otherwise, it’s like choosing not to put seatbelts in your car, but taking out insurance against a crash instead.)
To sum up the benefits, ISO 27001 takes a risk-based approach to securing information. By definition, any organisation that has undergone the certification process can prove it operates a robust risk assessment process.
Ensuring successful certification
So, with a solid business case for getting certification, how do you ensure the process itself is a success? Here are some points to consider:
- Do it for the right reasons: to assure customers, stakeholders or external overseer that you keep data secure.
- Do obtain full support from senior management. Ensure they’re bought into the programme and that they provide the right resources and budget to ensure success.
- Do get buy-in from all parts of the business. ISO 27001 is an information security standard, not an IT standard.
- Don’t chase certification purely to satisfy a sales requirement or for marketing purposes. Otherwise you don’t get the correct level of focus on the standard. Treating it as a box-ticking exercise makes it very difficult to achieve and maintain certification.
- Do ensure information security is a regular agenda item on senior management meetings, not just an annual review. Have management actively review and sign off on security policies, and attend security awareness training.
If I’m auditing a company, and management aren’t attending, then I know the company isn’t serious about certification. It shows whether the effort goes beyond lip service to embedding a lasting, mature security culture. In many ways, it’s a classic chicken-and-egg scenario: without full support from management, successful implementation is unlikely. Yet a successful implementation ensures you have full support.