To help understand the business benefits of ISO 27001, take a moment to think about your business, the service you provide to your customers and the customer systems you have access to or the customer data you hold. If your information security isn’t up to scratch, your business becomes a risk to their business because you could be a gateway to a cyber-attack.
Now think about the cost of a data breach to your business and to your clients; the loss of business, brand impact, loss of customer trust and the potential fall in share price. According to the 2018-2019 Global Application and Network Security report commissioned by Radware, the average cost of a cyber-attack exceeds $1 million but cases can be even more severe. The recent ransomware attack on Norsk Hydro is estimated to have cost the Norwegian aluminium producer more than $41 million.
Thinking this way is a sobering exercise. Good cyber hygiene and information security management is necessary to mitigate these risks. If this is your objective, an ISO 27001 certified information security management system will help.
You may have considered this before and concluded that you don’t have the time or resource, but the cyber threat landscape is constantly developing. The supply chain is often seen as the weak link by attackers targeting a big business. For this reason, buying companies are starting to see the benefits of ISO 27001 certification in their own supply chain and to require suppliers to certify.
What is ISO 27001?
ISO 27001 is the international standard for an information security management system (ISMS). The current version is ISO 27001: 2013.
The standard is concerned about the management of information security and follows the Deming cycle phases of ‘Plan-Do-Check-Act’ to achieve continuous security management improvement.
ISO 27001 is not an IT security standard. It is risk led and looks at information security risks across the business, including those falling outside of IT such as physical security risks, HR security risks and supplier security risks.
The standard lets organisations determine their own risk acceptance criteria and their approach to managing risks. Whereas one business might consider a risk unacceptable unless treated and reduced using controls, another business may consider the same risk acceptable.
ISO 27001 is supported by a family of information security guidance and associated documents. The family includes:
- ISO 27000: Definitions
- ISO 27001: Standard for an Information Security Management System
- ISO 27002: Techniques – Information Security Controls
- ISO 27005: Techniques – Information Security Risk Management
- ISO 27017: Techniques – Information Security Controls for Cloud Services
- ISO 27018: Techniques – Protection of PII in Public Clouds
ISO 27001 is the standard against which organisations are audited and, if successful, certified. The supporting documents provide guidance on implementing the standard but are not mandatory. The additional controls for cloud environments in ISO 27017 and ISO 27018 are becoming increasingly common among SaaS and IaaS providers.
Assuming you successfully pass your Stage 1 and stage 2 audits, you will be certified for 3 years, subject to annual surveillance audits.
What are the benefits of ISO 27001?
A certified ISMS indicates you take the management of security seriously (within the scope of certification) and are happy to have your security management system independently assessed. The business benefits of ISO 27001 certification and numerous, and include:
An effective ISMS will help improve your ability to withstand and respond to cyber attacks and information security breaches. Roles and responsibilities will be defined, senior management engaged, incident response plans tested and business continuity procedures in place. Your employees will be trained and better prepared for dealing with risks.
ISO 27001 certification has gone from being niche to common place. Organisations know their supply chain can be a weak link. Likewise, data controllers are looking to work with processors with security best practice in place. A certified ISMS can help your business stand out from competitors and may even be obligatory when bidding for new business.
ISO 27001 certification won’t make you compliant with GDPR or NIS, but the disciplines embedded by a certified ISMS will certainly help you meet key obligations under both. These include leadership commitment and engagement, risk led decision making, implementing organisational and technical controls and continuous evaluation and improvement.
Likewise, another benefit of ISO 27001 is that it will help you meet information security contractual obligations. Sometimes these may require you to become certified within an agreed period of time. We also regularly see contracts that list minimum security controls which are aligned to ISO 27001. Certification will clearly help you satisfy such obligations.
Continuous Security Improvement
Information security management isn’t a ‘set and forget’ topic. Threats evolve, new vulnerabilities arise constantly, and risk appetites change. For these reasons and more, it is essential to keep your security posture under continuous review and improvement.
An ISMS will help ensure continuous review and improvement of the way your business manages security, proportionate to the risks faced.
If you’re thinking of gaining ISO 27001 accreditation, we’re here to help wherever you are on your decision path. We can help with an initial workshop, carry out a full gap analysis, support your ISO 27001 project or manage your ISMS for you.ENQUIRE NOW