4 key benefits of ISO 27001 implementation
ISO 27001:2013 (the current version of ISO 27001) is one of the most popular information security standards in the world. More and more companies are achieving ISO 27001 certification to underline the robustness of their information security management.
Compliance with ISO 27001 was previously about having a competitive edge, but as ISO 27001 certification becomes the norm for best-practice information security, it’s increasingly a minimum entry to a tender or contract renewal. Conformity to the standard can make the difference between winning and losing those all important tenders.
What is ISO 27001:2013 and why is it so important for organisations?
ISO 27001 is the only standard that sets out the specifications for an information security management system (ISMS).
Organisations increasingly have to show they can be trusted for information security and privacy management and having ISO 27001 demonstrates that an organisation has identified risks and put in place preventative measures to protect the organisation from information security breaches.
ISO develops international standards, but does not issue certificates. For organisations in the UK, ISO 27001 recognition is at its most valuable when certified by a UKAS accredited certification body who will independently audit your organisation and provide you with ISO 27001 certification.
In North America, The ANSI National Accreditation Board (ANAB) is the largest accreditation body. To see a list of their accredited bodies, visit their directory. CDG are recognised as a popular certification body in India.
The “International Accreditation Forum” (IAF) maintains a list of all international accreditation bodies that are members of the IAF. This list can be found here: IAF Member List.
What are the top 4 benefits of achieving ISO 27001?
Benefit 1: Retaining customers and winning new business
Whilst the return on investment from an information security management system can be high, triggers for the initial investment generally come from external forces such as powerful customers.
There are growing numbers of stakeholders much more interested in how their valuable information is handled and protected. The risks involved in cyber security and data breaches of any kind are too great to simply go on a handshake and a promise that a new supplier is acting responsibly with information.
The historical belief about organisations naturally protecting privacy and security of data has been replaced with a suspicion that data is being mishandled. Organisations need to protect their business, and that includes the security of their supply chain. This is explored in more detail in our whitepaper ‘planning the business case for an information security management system’.
Aligning your organisation with the priorities and requirements of your customers will give you a competitive advantage and make you a far more attractive prospect.
Furthermore, ISO 27001 certification demonstrates robust security practices, thereby improving client relationships and client retention.
For many of our customers, their desire to achieve the ISO 27001 standard is driven by their client requirements, whether existing clients or when tendering to win new client business.
In each situation, whether the driver is to satisfy existing client or prospective client demands, there is usually always a time-sensitive goal with pressure to achieve certification quickly.
ISO 27001 Experience
Our initial driver to achieve ISO 27001 back in 2012 was that one of our existing customers required us to prove the reliability of our information security management system in order to continue to do business with us. Since then, this has been a story that we hear time and time again from our own customers. Read more about our story.
ISMS.online user, Amigo, recognised that the enterprise level customers they attract were increasingly seeking information security assurance. With no one person dedicated full time to an information security role, they decided to automate and simplify the process as much as possible. They achieved successful a smooth implementation and successful ISO 27001 audit – with just 2-3 weeks of effort committed to their ISO 27001 project – thanks to the huge head start that ISMS.online gave them.
Benefit 2: Preventing fines and loss of reputation
Under the EU’s General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO), in the UK, can now issue fines of up to 4% of a company’s annual turnover, or €20 million (whichever is greater) for the worst data offences.
The ICO states that “any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis”.
Improved information security and data protection is much higher on the list of priorities for the general public and business leaders alike.
And front page headlines of major fines being incurred due to significant data breaches will escalate the need for information security management even more with organisations not only looking at their own cybersecurity, but also the infosec credentials throughout their supply chains. This affects even the smallest of businesses as where there’s data handling and processing, there’s risk.
In July 2019, British Airways was handed a £183 million fine for infringement of the GDPR following a data breach which affected 500,000 customers last year, a cost that amounts to 1.5% of the airlines’ annual revenue.
Following that, a £100m penalty was imposed on the international hotel group Marriott, after hackers stole the records of 339 million guests.
It’s not just the larger companies falling fowl of the ICO. Smaller companies are incurring fines too. Privacy Affairs is collating data on General Data Protection Regulation fines and have found the smallest fine to be €194, which was incurred by a utility company in Czechia earlier this year.
Even where an organisation has incurred a small fine such as this, it will still have a detrimental effect on their business with them being less attractive to prospective customers.
It’s not surprising then that organisations want to strengthen their information security posture to avoid a fine. Careful consideration should be applied to the impact on the reputation of companies that received negative publicity from fines, or even just warning notices. This is likely to have a negative effect on their profit margins for years to come.
Benefit 3: Improving processes and strategies
In addition to improving how your organisation is perceived by your clients, suppliers and other stakeholders, ISO 27001 certification benefits your organisation’s internal systems, structure and day to day processes and procedures.
This is indeed one of the benefits of having an information security management system itself.
An important aspect of information security management is operational procedures and responsibilities. Under the Annex A.12 framework, there are requirements relating to the required processes and documented operating procedures for change and capacity management, development and testing and operational environments, controls against malware and information backup.
This provides a clear framework to consider information security risks, management processes and key operational elements such as how IT systems must be kept up to date, anti-virus protection, data storage and back-ups, IT change management, and event logging.
The processes required to meet the ISO 27001 standard results in better documentation and means that all staff will have clear guidelines to follow, which helps to keep the organisation secure and free from attack. This might include policies around the use of external drives, safe internet browsing, and strong passwords.
Cyber attacks and data breaches could always happen, but the forward planning that’s involved with ISO 27001 demonstrates that you have evaluated the risks, as well as your business continuity and breach reporting plan if things were to go wrong – hopefully reducing any costs incurred.
ISO 27001 experience
ISMS.online user, Oldfeld Partners, describe how prior to using ISMS.online they had achieved successful ISO 27001 implementation but were using documents and spreadsheets in various applications which were affecting productivity and their ability to do their ‘day job’. Their audit was fast approaching and they wanted to improve their existing systems to demonstrate improvement with best practice information security, hence their decision to use a cloud-based ISMS platform.
“We wanted to drive improvements and fast. The ISMS.online solution gave us structure, purpose built workspaces, and tools that enabled us to get our ISMS quickly performing the way we wanted it to.”
Andy Roberts, Head of Technology at Oldfield Partners LLP.
Benefit 4: Compliance with commercial, contractual and legal responsibilities
Annex A.18 of ISO 27001 is about compliance with legal and contractual requirements. The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
A good control describes how all relevant legislative statutory, regulatory, contractual requirements, and the organisation’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organisation.
ISMS.online makes much of the compliance side of information security considerably easier. The built-in approval processes and automated reminders for reviews make life much easier and offer up a ‘living plan’ to show auditors you are in control of the ISMS.
An organisation that has considered and put in place the necessary requirements to meet the Annex A.18 framework will be able to demonstrate to all stakeholders that its future-proofed its business.
The benefits of implementing ISO 27001 in your organisation are clear. It leads to a stronger business model, longevity and an information security management system to be proud of.
Next steps – Planning the business case for an information security management system
The benefits of ISO 27001 are significant and easily outweigh the cost of having a professional information management system.
In fact, the Return on Investment (RoI) can be much more attractive than most business growth initiatives, especially if an organisations survival is dependent on having an ISMS that stakeholders can trust or it’s required to meet a regulation.