10 Common Misconceptions About ISO 27001

man on keyboard considering ISO 27001 misconceptions

With so much publicity surrounding information security and costly breaches, many businesses will be looking at how to protect themselves. It’s little wonder. The recent Information Security Breaches Survey 2015, issued by HM Government, revealed that 28% of the worst security breaches were caused partly by senior management giving insufficient priority on security (up from 7% a year ago!).

So, if you are among those considering how best to manage and improve your information security you may have considered seeking ISO 27001:2013 accreditation. Undoubtedly you will be weighing up your options and we’re here to help dispel some of the common misconceptions about implementing ISO 27001:2013.


1. It’s expensive!

In relation to what? The Information Security Breaches Survey 2015 reported the average cost of breaches soared in 2015. For large organisations, the average cost of the worst security breach of the year was between £1.46m and £3.14m and, for small business, between £75K and £311k. This includes elements such as business disruption, lost sales, recovery of assets and fines and compensation. Consider now that 90% of large organisations, and 74% of small, experienced a security breach. How expensive does that ISO 27001 implementation seem now?


2. It’s time-consuming

Sure, there will be leg work but, the chances are that your organisation will be addressing many of the requirements anyway and the implementation of ISO 27001 will simply formalise your information security management system. If not, then the exercise will undoubtedly lead you to focus on information security and develop good policies and controls to safeguard your business. Whilst implementation can be admin intensive, there are tools to help, including, of course, our own cloud software that offers a prebuilt system for management. With the right frameworks and tools, you will significantly reduce the man-hours normally associated with implementation and be able to concentrate on the important policies and controls you need for early success.


3. ISO 27001 is the responsibility of the IT Director

It may well sit in his job description but, without the commitment at board level, and across all departments, ISO 27001 will be almost impossible to maintain. Staff engagement and communication will be key, so make sure you have systems in place to address this.


4. It just makes our life more complicated

Consider that 72% of companies where the security policy was poorly understood had staff-related breaches and that 50% of the worst breaches in the year were caused by inadvertent human error! Now think how useful it will be having clear and concise policies to communicate and train staff. Good software for managing your Information Security, and communicating around it will take any pain out of maintaining accreditation.


5. It’s paper-intensive

It can be, but it really shouldn’t be! We achieved ours in a paperless office. We manage our ISMS in one place, safe and securely on the cloud, available 24/7. No paper manuals, no emails, no printed audit reviews, nothing…all online.


6. It’s just a certificate for marketing purposes

Now, don’t get me wrong, it’s certainly going to help your sales & marketing team win business and give you that competitive edge. But you only have to read our article ISO 27001 Hygiene Expectation or Competitive Differentiator for Law Firms to understand why achieving ISO 27001 will give you sound business practices that protect and maximise both your firm’s interests and those of your customers.


7. It’s going to stop me having to fill in all those lengthy client security questionnaires

Sorry, we can’t promise that but, it will give your information security some structure and, organised well, it should give you one place to go for all the facts you need to satisfy the most rigorous of interrogations. And, if you really want to wow your clients, invite them in to demonstrate how you run your ISO 27001. We do this regularly but, because ours is online we can arrange a remote demonstration of our entire system, even adding them as a temporary team member so they can see the full power of the communication aspects of the system. It never fails to impress when we demonstrate our entire system without them even leaving their office! If you’d like to see how to contact us for a no-obligation demo.


8. There will be a mad panic once a year when we are audited

Only if your organisation hasn’t totally committed, from board-room through to field sales rep. If it believes No.3. of this list, then the chances are there is no investment in the simple tools that will make maintaining the standard simple.


9. It’s a fad…security breaches are being highlighted in the media at the moment but it won’t last

If only! Remember that 90% statistic in No.1? That was up 81% on the previous year, and 59% of respondents in the same survey expect there will be more security incidents in the next year than last. Cybersecurity threats are here to stay.


10. Gaining ISO 27001 accreditation will make us ‘breach-proof’

Afraid not! However, with the right tools, your information security team will have more time to dedicate to strategic management and improvements and less time will be needed for basic administration.

In summary, achieving ISO 27001:2013 accreditation will be hard work and it is a significant investment in terms of time and cost. However, information security breaches are increasing and, whether it is to reduce your vulnerability, improve your basic business hygiene or to gain more business, the benefits of accreditation far outweigh the drawbacks.


Sign-up to our newsletter to receive the latest videos on implementing ISO2 27001:2013 straight to your inbox.

If you would like to know more about how our cloud software solution, ISMS.online, can help you achieve ISO 27001:2013 faster and more cost-effectively, visit www.isms.online and arrange your demo today.